The Java™ Tutorials
Verify the JAR File Signature
Trail: Security Features in Java SE
Lesson: Exchanging Files
Section: Steps for the Contract Receiver

Verify the JAR File Signature

Acting as Ruth, you have now imported Stan's public key certificate into the exampleruthstore keystore as a "trusted certificate." You can now use the jarsigner tool to verify the authenticity of the JAR file signature.

When you verify a signed JAR file, you verify that the signature is valid and that the JAR file has not been tampered with. You can do this for the sContract.jar file via the following command:

jarsigner -verify -verbose -keystore exampleruthstore sContract.jar 

You should see something like the following:

       183 Fri Jul 31 10:49:54 PDT 1998 META-INF/SIGNLEGAL.SF
       1542 Fri Jul 31 10:49:54 PDT 1998 META-INF/SIGNLEGAL.DSA
       0 Fri Jul 31 10:49:18 PDT 1998 META-INF/
smk    1147 Wed Jul 29 16:06:12 PDT 1998 contract

 s = signature was verified 
 m = entry is listed in manifest
 k = at least one certificate was found in keystore
 i = at least one certificate was found in identity scope

jar verified.

Be sure to run the command with the -verbose option to get enough information to ensure the following:

Previous page: Import the Certificate as a Trusted Certificate
Next page: Generating and Verifying Signatures