3

I have a zip file containing a number of jar files that is being downloaded from an HTTPS site.

The jars form a command line driven, server side application. I have a Java written application installer that does some checks to verify that the jars are signed using a particular trusted digital certificate and have not been modified during their transport.

Is it it necessary to verify the jar files upon receipt, or is this something the JVM does anyway? I know the JVM verifies the byte code, but what about jar signing?

4

1 回答 1

2

这取决于罐子的使用方式。

如果 jar 最终由类加载器加载,则类加载器可能会执行签名验证。如果类加载器恰好是URLClassLoader的一个实例,那么它将执行签名验证。

如果您使用 Java API 中的JarFile类来访问 JAR,那么使用接受 String 或 File 参数的简单构造函数将导致执行验证。如果需要,必须明确关闭验证。

于 2009-09-21T22:00:54.553 回答