This week's book giveaway is in the Mac OS forum. We're giving away four copies of a choice of "Take Control of Upgrading to Yosemite" or "Take Control of Automating Your Mac" and have Joe Kissell on-line! See this thread for details.
I'm not sure what "verification" you are referring to but let me try answering that question assuming it means what I think it does.
When you create a certificate, you can put anything you like in those places. It's just information. No verification takes place, as far as I know. And if the jar is part of a web application, there's nothing to look at the certificate anyway. That would only happen when the Java environment on the client side had to use the jar file to run an applet or a Java Web Start application.
And if you were talking about the client-side situation, the verification is done by the user. The browser plugin pops up a security box saying "This application was signed by Tom Landry, do you want to run it?" and it's up to the user to say yea or nay to that.
That's if you create your own certificate and sign it. If you get a certificate from one of the companies that sell them, and use that to sign your jar, then the browsers already have that certificate in their trust store and they'll give you a much less scary security box.
Are we going in the right direction with that answer?
Joined: May 26, 2013
That actually does help.
I do recall running a application that was failing and after reviewing the error stack it stated the jar file was not signed.
If it is the client that is doing the verification, how would it know whether or not a given application is to be signed or not?
Tom Landry wrote:If it is the client that is doing the verification, how would it know whether or not a given application is to be signed or not?
Usually the client doing the verification is a human being. So it's up to that human to decide whether they approve of what they see of the signed jar.
If you're asking about a hypothetical situation where an application would (in an automated way) check whether a jar was signed or not, then presumably it was programmed to do that check. It may be that there was supposed to be a client certificate in place, or something like that, but that may or may not have anything to do with the situation you observed.