3-Apr-19 (Created: 3-Apr-19) | More in 'Android Avds, Install, Emulator'

Understanding self signed jar files

It is often, occasionally followed by a wave of hand, that one advises or talks of "jar" (packaged java files that makes up an application or module) files as being signed.

Few times we ask back: "What do you mean by signed"?

What does it mean for a jar file to be signed?

Does this signing has parallels to how we sign physical documents? Do they differ? How do they differ if they do?

How do you establish a "pattern? of understanding for digital signatures so that you treat the subject abstractly just like when someone says they signed a physical document?

Understanding first: Wine collector and his caskets of wine

Imagine you are a wine collector located in a very un-wine-like place such as Sahara desert. And farmers around the world are sending you wine caskets either to archive sell etc. For a moment think that they are not doing it for money. So they will not expecting anything in return.

What the wine collector notices is that each casket he receives and the wine inside it has a specific hue and color that is distinct from another. On further investigation she finds out that if two caskets or wine inside them has the same hue then it ALWAYS comes from the same farmer. On digging further the collector finds out that each farmer has a "SECRET HUE RECIPE? that she locks up in a cellar and never reveals. This explained why each wine is different and that if two wines have same hue they MUST COME from the same farmer.

So the hue becomes a signature of the farmer. And that the farmer hides the signature from everyone else. Like a family stamp.

An important distinction in this example is there is no way for the collector to know "WHICH? farmer sent the wine. For example there is no name, or address associated with that signature. Even if there were it is quite possible that another wine farmer could send by copying that address. The collector will then assume that these two wine caskets that came to her with the same address but clearly has two different hues, that there are two farmers at the same address with the same name but never the same wine.

Where do they differ from real signatures

When I or you sign a document and send it to say to IRS, IRS assumes that you are sending the right information such as phone and address and Social. If two applications are received with the social but signatures are distinct IRS will have to verify your signature with the card that THEY issued.

Same thing with banks. The banks have your signature to verify.

In cases where they don?t preregister your signature they will have to come to you as after the fact and verify the signature later.

It is also reasonable to assume that occasionally physical signatures can be forged. It is far far far harder to crack the digital encryption.

What is the pattern of understanding

So when someone says that they signed a jar file, it means that this jar file is uniquely colored and can be distinguished from other set of jar files UNIQUELY. However there is no way to identify the source developer or company with authenticity.

Such jar files are called self signed jar files.

To know the "SOURCE?, what you have to do is, have a third party company that the wine collector trusts tell us that the "color-red? comes from "Company1?. Now every time we see "color-red? then we know that it is from "Company1?. These are called third party signed jar files. These are useful in your browsers to tell you that you are downloading a file from company 1.

So how does one digitally sign?

The above semantics or understanding is technically implemented through what is called a Public/Private Key encryption. Mathematics has the ability (with great probability) to generate two numbers where by if you encode with the first number (private) then only the second number (public) can decrypt it. These keys are asymmetric. Even if everyone knows the public key there is NO way they can encrypt a message that the Public key can decrypt. Only its matching private key can do that.

So in essence when the wine farmer creates a code for his casket using the private key, she writes down the public key name on top of the casket and also the secret code on the casket. When the wine collector takes that public key and unravels the secret code, if she is successful then she knows that the "public? key is correct and the message is only encrypted by the farmer who wrote the public key.

There are two tools available in the java tool kit that helps with this:

The first one "keytool? generates the public/private keys given a password.

The second tool called "jarsigner? creates the secret code using the private key and the jar file data itself. This additional step of including the jar file contents enables the jar file being untampered.

Another example to solidify the signature understanding

When you visit a foreign land, you turn on the radio, and you hear many different songs. You can tell there are different singers and you can identify each separately but not know who they are or know their names. This is also self signing. When a friend of yours tells you a singer and associates to a voice you have heard that is third party signing.

Again one can imitate another singers voice to confuse or lull the listener to incompetence where as it is far far far harder to emulate a digital signature.


1. Signing android applications

2. My notes on understanding android apk files

3. A greate read from Sun/Oracle on keytool and signing