I am trying to sign 3rd party jars using signtool on solaris. The jars already have a manifest.mf file, but signtool creates a new MANIFEST.MF file in the META-INF/ directory and uses that to sign the jar. If I try to validate the signed jar, it fails because there are two different version of the manifest file. If I copy what is in the current manifest.mf file to a MANIFESET.MF, signtool overwrites the data.
Is there anyway to specify what file to use to sign the jar (e.g manifest.mf over MANIFEST.MF)? Or is there a way to tell signtool what to include in the new MANIFEST.MF?
This is a pressing issue since next update of java requires jars to be signed as well as include the permissions tag for applets.
Dabbling only in one Applet I have to maintain, and not and expert myself, I found only sparse info on this topic. All I found was something in cryptic documentation of the signtool argument "-m" (metafile). From https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Tools/signtool, I guessed "+ if you want to specify global metadata (that is, metadata about the JAR archive itself or all entries in the archive)" might be a cryptic reference to META-INF/MANIFEST.MF - and it seems to be.
Using anthill with build.xml, and knowing no better convention, I created a "src\antBuild\signtool-extras.mf" and used "-m {basedir}\src\antBuild\signtool-extras.mf" in my signtool invocation. The content I put in "signtool-extras.mf" starting with "+" was augmented into the signtool generated MANIFEST.MF.
In my case I added two lines "+ Permissions: all-permissions" and one identifying like "+ Application-Name: Cris Mooney FTP Applet". These showed up in the META-INF/MANIFEST.MF of the generated jar file, and this satisfied the current Java 1.7.0_55 engine. Also, contrary to what I read elsewhere, Java did not currently complain about no "codebase", which I know little about but elected to ignore because I expected my tool would then complain in QA and this has been enough of an undocumented pain.
Hope this helps someone, and I hope to hear clarifications and corrections to my guesses in the relative dark.
Note - my solution was to address these two Java 1.7.0_55 complaints:
Missing Permissions manifest attribute for: URL/FTPApplet.jar
Missing Application-Name manifest attribute for: URL/FTPpplet.jar