I have a Java desktop application. I'm downloading and dynamically running JAR files. JAR signing protects me from someone modifying the JAR file that I've downloaded. How would I verify that my application only runs JARs that I've signed though?
Without ensuring that all JARs I'm running are signed by me, then isn't JAR signing still insecure for desktop use?
On
Updating your Java client applications to use Java Network Launch protocol (JNLP), as implemented with the "Java Web Start" framework, would address you concerns. JNLP, originally implemented in Java 1.8, is not included in the OpenJDK. But you can use it with OpenJDK 11 and higher by incorporating the open source package OpenWebStart.
For each application, you would author an XML file with a JNLP extension which your users would run instead of executing jars directly. JNLP will then download the jars and executes them securely on the user's behalf.
To ensure that your jar files are not tampered with, you will need to sign them with a code signing certificate using Java's jarsigner utility as described on this SO posting:
Signing a jar file with trusted certificate for JWS deployment
To establish trust of your code signing certificate, OpenWedStart provides a way to import your code signing certificate PFX file to a trusted certificate store:
Importing certificates for use with OpenWebStart
At runtime, JNLP executes only jars that it downloads to its local cache and ensures they are signed with a trusted code signing signature. And that will protect your jars from tampering.
JAR signing is about verification by the one running the application that it hasn't been modified since it was signed. In addition, based on the certificate, you can check who signed it.
It does not protect against modification by the one running the application: they can strip out the signature, or they can sign it themselves, and if you have code in your application to verify the signature, they can also replace that code to perform no verification or verify against their certificate.
In other words, yes, you're right, it doesn't protect you from the scenario you have in mind. It is also not intended for that scenario (as in, it is not a form of DRM).
Whether or not you consider it safe for desktop use is, again, up to the person/company running the application. They can configure their security policy in such way to accept only certain signing certificates.
You may also want to read the Java tutorial Signing and Verifying JAR Files, especially the chapter Understanding Signing and Verification.