I've been doing some JAR signing work in ant; a <verifyjar> task to go alongside <signjar>. I had intended it to be a precursor to library verification in Ant after download.
The summary is: 'signjar -verify' is a worthless bit of code; it doesnt change its exit code when a JAR is unsigned, it doesnt even change its success text "JAR verified." when a JAR is signed by someone you dont trust. There is no way to validate (pre-Java1.5) a JAR except by trying to load it in a secure classloader, and even then, the loading code doesnt know what the result is, it is only the loaded code, which finds it in a sandbox. The best bit: untrusted data is still accessible by trusted code, without being able to check on the value of that data. There is no point in even making JAR signing/verifying an option for validating jar files. It wont work, it will only lull people into insecurity. -steve
