Java Web Start Sign library Jars

Question

I have a Java Web Start application that contains several JAR libraries. Now i need to sign the JAR in order to make it work via browser.

My question is: Besides the main Jar signing, do i need to sign every library JAR inside the app too?

Answer 1

Imagine if you had a farm and were raising valuable ostriches. To prevent the ostriches wandering off and being eaten by lions, you erect a fence around the farm. But unfortunately you only have enough fencing wire to put up a fence around 3 of the 4 sides of the farm. Would the Ostriches (and therefore your investment) be safe? Of course not.

It is the same principle with security. Any library Jar that is not digitally signed is a potential source of a security breach. Leading to the bottom line..

Every Jar in an app. must be digitally signed before the app. could be considered to be secure and trustworthy.

..if I sign libraries that are already signed will the new signature override the old one?

Not necessarily. From jarsigner docs: Multiple Signatures for a JAR File we see..

Multiple Signatures for a JAR File

A JAR file can be signed by multiple people by running the jarsigner command on the file multiple times and specifying the alias for a different person each time, as follows:

jarsigner myBundle.jar susan
jarsigner myBundle.jar kevin

When a JAR file is signed multiple times, there are multiple .SF and .DSA files in the resulting JAR file, one pair for each signature. In the previous example, the output JAR file includes files with the following names:

SUSAN.SF
SUSAN.DSA
KEVIN.SF
KEVIN.DSA