Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!news.ecp.fr!aioe.org!.POSTED!not-for-mail From: Roedy Green Newsgroups: comp.lang.java.security Subject: Re: understanding signing. Date: Wed, 09 Apr 2014 17:58:37 -0700 Organization: Canadian Mind Products Lines: 17 Message-ID: References: Reply-To: Roedy Green NNTP-Posting-Host: K2Qzzs3EAqXk5RLzfhxcSw.user.speranza.aioe.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: abuse@aioe.org User-Agent: ForteAgent/7.20.32.1218 X-Notice: Filtered by postfilter v. 0.8.2 Xref: csiph.com comp.lang.java.security:287 On Wed, 09 Apr 2014 03:55:53 -0700, Roedy Green wrote, quoted or indirectly quoted someone who said : >It there a tool you can feed a jar to and it will tell you if the jar >is signed, who signed it, is it timestamped, and when it was >timestamped. I have looked at a jar that was timestamped and not timestamped. The only difference seems to be the values of the .SF digests. no sign of the timestamper or the fact it was timestamped. Perhaps that just signed the digests twice. -- Roedy Green Canadian Mind Products http://mindprod.com "Don't worry about people stealing an idea; if it's original, you'll have to shove it down their throats." ~ Howard Aiken (born: 1900-03-08 died: 1973-03-14 at age: 73)