I noticed that in the keytool documentation it reads "jarsigner [...] checks if the public key of this certificate is" trusted ", that is, it is contained in the specified keystore." whereas in the jarsigner man page "Key storage is not required when checking [...]" and that the utility will always check the certificate supplied with the bank. In the way I see it, this can lead to the defeat of the target, as it will only confirm that the bank has not been changed since its signing, but was not signed by any specific authority / supplier.
Is there a way to make verification complete if the certificate used to sign the bank is not known / trusted in the runtime system? Or do I need to use a script to call jarsigner -verify -verbose -keystore ... and parse the output to see if there is an entry for the signing certificate in local storage (runtime)?
Confused, Peter
source share