Tampering with signed binaries sounds pretty serious
It depends on how they're signed. A signature format that works on individual objects inside of an archive, rather than on a whole signed archive, seems crazy. In this case, it's a JAR file loader; doesn't seem like that big a deal?
If you want to have the archive contain the signature, you can’t sign the whole archive. Signed documents (docx, odf) work that way.
It depends on how they're signed. A signature format that works on individual objects inside of an archive, rather than on a whole signed archive, seems crazy. In this case, it's a JAR file loader; doesn't seem like that big a deal?
If you want to have the archive contain the signature, you can’t sign the whole archive. Signed documents (docx, odf) work that way.