I have a large java application that is distributed as several jar files. I have looked at the manual for install4j, and some things are not clear. Does install4j verify the jars it downloads and installs? Which certificate is used to do this? Or is this something extra I have to do, either when creating the jars or installing them?
One of my co-workers pointed at some of our current code related to install4j and said "You need to verify the signed jars here." After looking at some of the console output, it appears that this might already be done by the product, but I am not sure. It makes sense to me that it would, but things that make sense to the uninitiated are often, well,... you know. The only thing I get for sure out of the manual is that the installer itself is verified.
As of install4j 10.x, there are no built-in actions to download and verify JAR files. Installers include all files that should be installed and verification is performed via the platform-dependent signing mechanisms for the entire installer.
Signing of JAR files is a concept in the JVM that is independent of install4j. You can sign JAR files and the JVM will verify them when they are loaded.