can we resign the already signed jars in java?

Asked 29/1, 2010 at 15:15 Answered 19/1, 2017 at 8:29

I've a .jar file with an old signature and want to resign it with a new signature. Is it possible?

If it is possible: how to do it?

Decode answered 29/1, 2010 at 15:15 Comment(0)

If the signature is not one you own, you would need to unjar the jar first.

Like so (assume unix, translate to dos otherwise):

jar xvf JarName.jar

rm -rf META-INF

jar cvf JarName.jar *

Now you need to run jarsigner to sign the jar

jarsigner -keystore /yourkeystoredirectory/mystore -storepass yourpass
      -keypass yourkeypasswd JarName.jar keyname

If you don't have a keystore, you can create one with keytool.

Lent answered 29/1, 2010 at 15:33 Comment(1)

"rm -rf META-INF" is an really bad idea. This delete important files like services directory too. – Respiratory 28/5, 2015 at 21:58

Remove files with ".SF" or ".RSA" extension from the META-INF folder inside the jar.
Delete signing checksums from META-INF/MANIFEST.MF: each "Name" and "SHA1-Digest" fields should be deleted from META-INF/MANIFEST.MF.

A more comprehensive documentation can be found on the oracle documentation: https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#Signed_JAR_File (for example there can be ".DSA" files in the META-INF folder, and files beginning with "SIG-" )

Despinadespise answered 19/1, 2017 at 8:29 Comment(0)

You can extract the class files and re-jar them with your signature

Wolves answered 29/1, 2010 at 15:19 Comment(0)