Best IT Recipes

How can I level the can?

Is there any way to print java java file? I have some signed banks that I try to use in my development environment, but I get security exceptions, so I want to debug these banks, and I can sign them later when I'm ready to deploy.

+19
java jar jar-signing
Oct 13 '11 at 16:09
source share
6 answers

I do not know the answer, but here is what I will do:

  • Unzip the jar file or files in question (banks simply zip up)
  • Look in the META-INF directory for what was not MANIFEST-MF.
  • Remove this stuff.
  • Open MANIFEST-MF and delete the signature-like material.
  • rejar.
+25
Oct 13 '11 at 16:17
source share

To remove a signature from a jar file, delete the META-INF directory from it. The jar file is a zip file, so on Linux you can do this:

 zip -d file.jar 'META-INF/*.SF' 'META-INF/*.RSA'

If you have many jar files for unsign, the following command does this in every jar file in the current directory and below:

 find . -name '*.jar' -exec zip -d '{}' 'META-INF/*.SF' 'META-INF/*.RSA' ';'
+8
Sep 17 '15 at 6:11
source share

I see that the answer is already accepted, but I think it can be useful anyway:

I prepared something (partly from other posts) to automate the task.
Comes without any warranty, but it works for me :)
Copies the Jar file when deleting signature information.
Please note that MANIFEST only remains with the MAIN section!

Use javac JarUnsigner.java to create a .class file
Use java -cp <class dir> JarUnsigner <inJar> <outJar>

 import java.io.BufferedReader; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.util.Enumeration; import java.util.zip.ZipEntry; import java.util.zip.ZipFile; import java.util.zip.ZipOutputStream; public class JarUnsigner { private static final String MANIFEST = "META-INF/MANIFEST.MF"; public static void main(String[] args){ if (args.length!=2){ System.out.println("Arguments: <infile.jar> <outfile.jar>"); System.exit(1); } String infile = args[0]; String outfile = args[1]; if ((new File(outfile)).exists()){ System.out.println("Output file already exists:" + outfile); System.exit(1); } try{ ZipFile zipFile = new ZipFile(infile); final ZipOutputStream zos = new ZipOutputStream(new FileOutputStream(outfile)); for (Enumeration e = zipFile.entries(); e.hasMoreElements();) { ZipEntry entryIn = (ZipEntry) e.nextElement(); if (! exclude_file( entryIn.getName() ) ) { /* copy the entry as-is */ zos.putNextEntry( new ZipEntry( entryIn.getName() )); InputStream is = zipFile.getInputStream(entryIn); byte[] buf = new byte[1024]; int len; while ((len = (is.read(buf))) > 0) { zos.write(buf, 0, len); } zos.closeEntry(); } else { if (MANIFEST.equals(entryIn.getName())){ /* if MANIFEST, adjust the entry */ zos.putNextEntry(new ZipEntry(MANIFEST)); // manifest entries until first empty line. ie the 'MainAttributes' section // (this method is used so to keep the formatting exactly the same) InputStream mIS = zipFile.getInputStream(entryIn); BufferedReader in = new BufferedReader(new InputStreamReader(mIS)); String line = in.readLine(); byte[] mNL = "\n".getBytes("UTF-8"); while( line != null && !line.trim().isEmpty() ) { zos.write( line.getBytes("UTF-8")); zos.write( mNL ); line = in.readLine(); } zos.write( mNL ); zos.closeEntry(); }else{ /* else: Leave out the Signature files */ } } } zos.close(); System.out.println("Successfully unsigned " + outfile); }catch(IOException ex){ System.err.println("Error for file: " + infile); ex.printStackTrace(); System.exit(1); } } /** * Exclude .SF signature file * Exclude .RSA and DSA (signed version of .SF file) * Exclude SIG- files (unknown sign types for signed .SF file) * Exclude Manifest file * @param filename * @return */ public static boolean exclude_file(String filename){ return filename.equals("META-INF/MANIFEST.MF") || filename.startsWith("META-INF/SIG-") || filename.startsWith("META-INF/") && ( filename.endsWith(".SF") || filename.endsWith(".RSA") || filename.endsWith(".DSA") ); } }

Use in ANT to level the pile of cans as follows:

 <apply executable="java" dest="${output-dir}"> <arg value="-cp" /> <arg value="${dev-dir}" /> <arg value="JarUnsigner" /> <srcfile/> <targetfile/> <fileset dir="${input-dir}" includes="*.jar"/> <mapper type="glob" from="*.jar" to="*.jar"/> <!-- uses "dest"--> </apply>
+4
Dec 17 '15 at 9:37
source share

I successfully checked DwB's answer with a slight modification: Is there a quick way to delete a file from Jar / war without having to remove the jar and recreate it? , deleting only from the jar tool is not possible. I only needed to make small changes to the branded build of the script, and I did not want to repaint the entire jar.

I realized that unsign was possible when I made only the important .RSA file of zero size. This can only be done with the jar u command:

 cd %JAR_DIR% jar xvf myapp.jar META-INF/MYAPP.RSA type nul > META-INF/MYAPP.RSA jar uvf myapp.jar META-INF/MYAPP.RSA rmdir /S/Q META-INF
+1
Jul 10 '14 at 2:03
source share

If banks were developed by you then they can be trusted and you probably don't need to sign them. However, if you received them from the outside, you should study the causes of security before using them.

0
Oct 13 '11 at 16:35
source share

If you look at the jarsigner tool and what it does, it generates 3 things: 1) .SF file (signature file) 2) signature block file based on the algorithm used (e.g. .RSA, .DSA, etc.), 3 ) changing or creating the MANIFEST.MF file

Summary: For "unsign a jar", simply delete the first 2 files (.sf and .dsa / rsa FILE). Delete the MANIFEST.MF file or open it and delete all the hashes listed for each .class and other files listed there).

So, if you delete EVERYTHING in the META-INF directory, you risk deleting other banks resources that may be required (for example, property files, etc.). This "shotgun approach" to remove everything that "looks like a signature" is harmful, and does not follow the principle: 1st do no harm (for your .jar).

see here: https://docs.oracle.com/javase/8/docs/technotes/tools/windows/jarsigner.html

https://docs.oracle.com/javase/tutorial/deployment/jar/intro.html

Understanding Signature and Verification

"... When you sign a JAR file, your public key is archived along with the corresponding certificate so that it is easily accessible for use by anyone who wants to verify your signature .... Digests and signature file

When you sign a JAR file, each file in the archive is assigned a digest entry in the archive manifest. Here is an example of what this entry looks like:

Name: test / classes / ClassOne.class SHA1 digest: TD1GZt8G11dXY2p4olSZPc5Rj64 =

When the JAR file is signed, the signature file is automatically created and placed in the JAR metadata directory of the META-INF file, the same directory that contains the archive manifest. Signature files have file names with the extension .SF.

Signature Block File

In addition to the signature file, the signature block file is automatically placed in the META-INF directory when the JAR file is signed. Unlike a manifest file or a signature file, signature block files are not human readable.

The signature block file contains two elements necessary for verification:

Digital signature for the JAR file that was created using the private key of the signer. A certificate containing the public key of the subscriber, which will be used by anyone who wants to verify the signed JAR file. Typically, the names of the signature block files will have the extension .DSA indicating that they were created using the default digital signature algorithm. Other file name extensions are possible if keys associated with some other standard algorithm are used for signing.

0
May 23 '17 at 19:12
source share


More articles:


All Articles