The constructors for the java.util.jar.JarFile
take a verify
parameter, whose only documentation seems to be this single phrase in the JavaDoc:
verify
- whether or not to verify the jar file if it is signed.
This obviously isn't very precise, though. What does the verification process that JarFile
does entail? Does it only verify the Jar file not to have been tampered with, or does it also, in some unspecified way, verify the signer certificates to be trusted? What happens if verification fails, or if the signature files are malformed? Is verification eager or lazy, &c&c?
I find it generally weird that such a procedure that seems so intimately connected to core Java security is so poorly documented, so I am concerned that this might be considered an "internal" API that I'm not really supposed to use. Is this the case, or have I perhaps just missed the external documentation somewhere, or is it just some weird oversight?
Probably worth looking at up to date documentation, rather than documentation from 2004. :-)
In the up-to-date documentation, it says: