Clearly myself and everyone who filed a bugrep asking for verifying that -verify on signjar could be used to programatically verify JAR files were working under the mistaken assumption that signjar changed its return value for unverified JARs. it doesnt, it returns 0.
thus the only way to verify a JAR is signed with that app is to check the output text; not good, not good at all.
I have popped off a note to the java security alias acusing myself of incomptence, on the grounds that surely the program must return an error code, it is only my ability to write good java code that is preventing me from picking it up, The unspoken message is that if I am not incompetent, they are :)
We'll see what response it gets. otherwise, what other tricks do we have to verify JARs on JREs of java1.2 onwards? We could load the JAR into a secure classloader, try to load something from it (the manifest?), then catch the resultant security exception.
has anyone done anything like that?
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
