The library extends standard ZipOutputStream by implementing SHA-256 signatures and trusted time stamps.
Signed ZIP archive can be verified by jarsigner
.
- Java 8+
Add Maven dependency
<dependency>
<groupId>eu.noleaks</groupId>
<artifactId>zips</artifactId>
<version>1.0.1</version>
</dependency>
Create self-signed archive:
KeyStore.PrivateKeyEntry privateKeyEntry;
FileOutputStream archive = new FileOutputStream("signed.zip");
URL tsa = new URL("http://rfc3161timestamp.globalsign.com/advanced");
try (SignedZipOutputStream stream = new SignedZipOutputStream(archive, privateKeyEntry, tsa)) {
String lorem = "Lorem ipsum dolor sit amet";
ZipEntry entry = new ZipEntry("lorem ipsum.txt");
entry.setSize(lorem.getBytes(StandardCharsets.UTF_8).length);
stream.putNextEntry(entry);
stream.write(lorem.getBytes(StandardCharsets.UTF_8));
stream.closeEntry();
}
Annotate the archive by a tag:
stream
.setTag(Tags.Title, "Lorem ipsum")
.setTag(Tags.Possessor, "Cicero")
.setTag(Tags.Subject, "Lorem ipsum is a placeholder text commonly used to demonstrate the visual form of a document")
.setTag(Tags.Keywords, "placeholder design")
.setTag(Tags.Version, "1.10.32")
Verify:
$ jarsigner -verbose -verify signed.zip
jar verified.