What does the "verify" parameter to java.util.jar.JarFile mean, precisely?

Question

The constructors for the java.util.jar.JarFile take a verify parameter, whose only documentation seems to be this single phrase in the JavaDoc:

verify - whether or not to verify the jar file if it is signed.

This obviously isn't very precise, though. What does the verification process that JarFile does entail? Does it only verify the Jar file not to have been tampered with, or does it also, in some unspecified way, verify the signer certificates to be trusted? What happens if verification fails, or if the signature files are malformed? Is verification eager or lazy, &c&c?

I find it generally weird that such a procedure that seems so intimately connected to core Java security is so poorly documented, so I am concerned that this might be considered an "internal" API that I'm not really supposed to use. Is this the case, or have I perhaps just missed the external documentation somewhere, or is it just some weird oversight?

Answer 1

Probably worth looking at up to date documentation, rather than documentation from 2004. :-)

In the up-to-date documentation, it says:

If the verify flag is on when opening a signed jar file, the content of the file is verified against its signature embedded inside the file. Please note that the verification process does not include validating the signer's certificate. A caller should inspect the return value of JarEntry.getCodeSigners() to further determine if the signature can be trusted.