How do I unsign a jar?

java jar jar-signing

I don't know the answer, but here is what I would do:

  1. Unzip the jar file or files in question (jars are just zips)
  2. Look in the META-INF directory for something that was not MANIFEST-MF.
  3. Delete that stuff.
  4. Open the MANIFEST-MF and remove stuff that looked like it was signature related.
  5. rejar.

To remove the signature from a jar file, remove the META-INF directory from it. A jar file is a zip file so on Linux you can do this:

zip -d file.jar 'META-INF/*.SF' 'META-INF/*.RSA'

If you have many jar files to unsign, the following command performs this on every jar file in the current directory and below:

find . -name '*.jar' -exec zip -d '{}' 'META-INF/*.SF' 'META-INF/*.RSA' ';'

I see an answer is already accepted, but i think this might be usefull anyway:

i've cooked up something (partly from other posts) to automate the task.
Comes with No warranty whatsoever, but it works for me :)
Copies the Jar file while removing the signature information.
Note, the MANIFEST is only left with the MAIN section!

Use javac JarUnsigner.java to create the .class file
Use java -cp <class dir> JarUnsigner <inJar> <outJar>

import java.io.BufferedReader;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.util.Enumeration;
import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;
import java.util.zip.ZipOutputStream;

public class JarUnsigner {
  
  private static final String MANIFEST = "META-INF/MANIFEST.MF";
  
  public static void main(String[] args){

    if (args.length!=2){
      System.out.println("Arguments: <infile.jar> <outfile.jar>");
      System.exit(1);
    }
    String infile = args[0];
    String outfile = args[1];
    if ((new File(outfile)).exists()){
      System.out.println("Output file already exists:" + outfile);
      System.exit(1);
    }
    try{
      ZipFile zipFile = new ZipFile(infile);
      final ZipOutputStream zos = new ZipOutputStream(new FileOutputStream(outfile));
      for (Enumeration e = zipFile.entries(); e.hasMoreElements();) {
        ZipEntry entryIn = (ZipEntry) e.nextElement();

        if (! exclude_file( entryIn.getName() ) ) {

          /* copy the entry as-is */
          zos.putNextEntry( new ZipEntry( entryIn.getName() ));
          InputStream is = zipFile.getInputStream(entryIn);
          byte[] buf = new byte[1024];
          int len;
          while ((len = (is.read(buf))) > 0) {
            zos.write(buf, 0, len);
          }
          zos.closeEntry();

        } else {

          if (MANIFEST.equals(entryIn.getName())){
            /* if MANIFEST, adjust the entry */
            zos.putNextEntry(new ZipEntry(MANIFEST));

            // manifest entries until first empty line. i.e. the 'MainAttributes' section
            // (this method is used so to keep the formatting exactly the same)
            InputStream mIS = zipFile.getInputStream(entryIn);
            BufferedReader in = new BufferedReader(new InputStreamReader(mIS));
            String line = in.readLine();
            byte[] mNL = "\n".getBytes("UTF-8");
            while( line != null && !line.trim().isEmpty() ) {
              zos.write( line.getBytes("UTF-8"));
              zos.write( mNL );
              line = in.readLine();
            }
            zos.write( mNL );
            zos.closeEntry();

          }else{
            /* else: Leave out the Signature files */
          }

        }

      }
      zos.close();
      System.out.println("Successfully unsigned " + outfile);
      
    }catch(IOException ex){
      System.err.println("Error for file: " + infile);
      ex.printStackTrace();
      System.exit(1);
    }
  }

  /**
   * Exclude .SF signature file
   * Exclude .RSA and DSA (signed version of .SF file) 
   * Exclude SIG-  files  (unknown sign types for signed .SF file)
   * Exclude Manifest file
   * @param filename
   * @return 
   */
  public static boolean exclude_file(String filename){
    return filename.equals("META-INF/MANIFEST.MF") ||
           filename.startsWith("META-INF/SIG-") || 
           filename.startsWith("META-INF/") && ( filename.endsWith(".SF") || filename.endsWith(".RSA") || filename.endsWith(".DSA") );
  }
  
}

Use in ANT to unsign a bunch of jars as follows:

<apply executable="java" dest="${output-dir}"> 
    <arg value="-cp" />
    <arg value="${dev-dir}" />
    <arg value="JarUnsigner" />
    <srcfile/> 
    <targetfile/>
    <fileset dir="${input-dir}" includes="*.jar"/> 
    <mapper type="glob" from="*.jar" to="*.jar"/> <!-- uses "dest"-->
</apply>

I successfully verified DwB's answer with small modification: As Is there a quick way to delete a file from a Jar / war without having to extract the jar and recreate it? states, deleting just from jar tool is not possible. I needed to make only small change in proprietary build script and I didn't want to rejar whole jar.

I realized unsign was possible when I only made important .RSA file zero-sized. This can be accomplished only with jar u command:

cd %JAR_DIR%
jar xvf myapp.jar META-INF/MYAPP.RSA
type nul > META-INF/MYAPP.RSA
jar uvf myapp.jar META-INF/MYAPP.RSA
rmdir /S/Q META-INF

Related

Antialiasing not working in Three.js
Save data to local storage
Android Horizontal LinearLayout - Wrap Elements [duplicate]
Type inference on method return type
SWI-Prolog - show long list
How to prefix a positive number with plus sign in PHP
How do I convert a string into an executable line of code in Javascript?
Saving image from url using Picasso?
"End of script output before headers" error in Apache
Error : No resource found that matches the given name (at 'icon' with value '@drawable/icon')
DocumentBuilder.parse(InputStream) returns null
how copy from one stringstream object to another in C++?