Understanding JAR signing
The following link says that the public key that corresponds to the private key used to sign the JAR is placed in the JAR, along with its certificate.
http://java.sun.com/docs/books/tutorial/deployment/jar/intro.html
I have a couple of questions: are both the public key and certificate in the DSA file? (The document makes it seem like the public key and its certificate are separate - but doesn't the certificate contain the public key its certifying?)
Are the only 2 ways the public certificate trusted is if the public certificate is imported into the "cacerts" file or into another keystore specified in the jarsigner -verify command? (In the cacerts case you could just omit options relating to the keystore?)
Why are the SHA1-Digest values different in MANIFEST.MF and the SF file for a given file within the JAR?
What's the difference between the SHA1-Digest-Manifest and SHA1-Digest-Manifest-Main-Attributes values in the SF files?
Thanks.
