Unsigning a signed jar

Question

I am using bouncy castle provider for AES encryption. I need to create a fat jar from bc and my jar but as soon as i do it i get Algorithm not found exception. Is it possible to get rid of the sign and create regular jar out of it?

My build process is..

i unzip all jars in to my build directory.
then remove META-INF directory
compile my application
jar it using ant

iget the error when i try to use the

SecretKeyFactory.getInstance(algorithm);

algorithm is PBEWITHSHA256AND128BITAES-CBC-BC from bouncy castle.

Not enough information. *Exactly* when do you get the error? *Exactly* what is the error message? Martin is right about the SF/DSA files, plus you may also have to remove digests from MANIFEST.MF. It's not a good idea to remove the META-INF directory completely (not sure it's a valid JAR without manifest) — Vinay Sajip, Aug 18 '09 at 08:09

martinhans · Answer 1 · 2015-09-17T06:51:43.590

18

To remove the signature from a jar file, remove the META-INF directory from it. A jar file is a zip file so on Linux you can do this:

zip -d file.jar 'META-INF/*.SF' 'META-INF/*.RSA'

edited Sep 17 '15 at 06:51

answered Sep 17 '15 at 06:09

martinhans

1,133
8
18

1

Great - exactly what i needed! If there are multiple files to un-sign, one may use `for i in *.jar; do zip -d "$i" 'META-INF/*.SF' 'META-INF/*.RSA';done`... – tohuwawohu Jan 25 '16 at 09:35
some jar use also DSA certs – andrej Feb 24 '20 at 18:02

score 12 · Answer 2 · answered Aug 18 '09 at 05:41

12

When you sign a jar file, new files get added to the META-INF directory, e.g. "MKSIGN.SF" and "MKSIGN.DSA". Just remove them from the jar file (with any zip utility), and you have it unsigned.

answered Aug 18 '09 at 05:41

Martin v. Löwis

124,830
17
198
235

I completely remove the META-INF directory still i get no algorithm exception – Hamza Yerlikaya Aug 18 '09 at 06:04
3

This is not practical. When your certificate expires and you need to re-sign 40 jars in that "lib" folder doing this one-by-one would be a pain. – oᴉɹǝɥɔ Oct 14 '13 at 20:47
cherio, this is still the answer, you might to automate it programatically if you have 40 to unsign. But instead of re-sign a jar in place sign it to a different dir to avoid this issue. – jzd Oct 17 '13 at 14:42
@cherio for precisely that reason, if you also timestamp when signing then you don't need to resign them after your certificate expires. – Kinjal Dixit Oct 07 '15 at 10:59

score 0 · Answer 3 · answered Jun 12 '13 at 11:38

0

You have to remove signature files from signed jar. Change its extension to zip, remove signature files, and change back to jar. Since now that jar is no longer unsigned.

answered Jun 12 '13 at 11:38

norbi771

814
2
12
29

score 0 · Answer 4 · answered Mar 14 '18 at 10:07

I followed the code from the maven jar signer plugin and remove all signing files and also the checksums from the MANIFEST.MF:

find -type f \( \( -name "*.RSA" -o -name "*.SF" \) -o \( -name "*.EC" -o -name "*.DSA" \) \) -print0 | xargs -0 --no-run-if-empty rm -rf
sed -i '/^Name: .*.class/Q' MANIFEST.MF

score 0 · Answer 5 · answered Oct 04 '19 at 17:59

You may be running into a specific issue with Bouncy Castle jars. Bouncy Castle implements the Cryptographic Service Provider interface and as such may be using a self-verification technique presented in the technotes of Java's documentation.

In the case of Bouncy Castle, the "fat jar" technique may not be possible. You could use an alternative class loading approach that would load the intact bouncy castle jars from within your own jar (using the jar://path/to/jar!/path/within/jar syntax with a URLClassLoader) but I have not tried this and my not be right for your needs.

score 0 · Answer 6 · answered Nov 16 '22 at 21:38

Other answers mention using a zip utility. This answer shows that the Java Platform Standard Edition Tools jar utility can do this also.

Remove signature files from a jar file by removing the META-INF directory content from it:

mkdir tmp
cd tmp
jar -xvf ../signed.jar
rm -f META-INF/*

Repackage the files, without signature files, back into a new .jar file:

jar -cvf ../unsigned.jar

When the jar file content is coordinated around an .xml file in the top-level of the extracted jar file content, sometimes it is feasible to rebuild a jar file like this:

jar -cvf ../rebuilt.jar my.xml

oᴉɹǝɥɔ · Answer 7 · 2013-10-15T20:31:32.233

-1

I put together a perl script which I use in production to remove JAR signatures. Just pass the folder with jars as an argument. This works in linux. It may work with cygwin though I haven't tested it in windows.

https://docs.google.com/document/d/1B1uEUIiuxh7WdPldD9rUun3COAefjczfdJTMWEecE1g/edit?usp=sharing

edited Oct 15 '13 at 20:31

answered Oct 15 '13 at 19:34

oᴉɹǝɥɔ

1,796
1
18
31

Unsigning a signed jar

7 Answers7

Linked