Meta-Information: Manifest Files and Signatures
Meta Information Manifest Files and Signatures
Aside from the three-letter extension, the only distinction between a zip file and a JAR file is that a JAR file contains a manifest file that lists the contents of the archive as well as information about those contents. The manifest file, which provides meta-information about the contents of the archive in a particular format, is named MANIFEST.MF and is stored in the META-INF directory at the top of the archive. This directory and file are normally not present in the unarchived collection. Generally, a manifest is added as part of the archiving process.
At a minimum, a manifest file must contain this opening line:
Manifest-Version: 1.0
A manifest usually contains additional entries for some of the files in the archive. However, the manifest does not usually contain an entry for every file in the archive.
Blank lines separate entries from each other. Each entry is composed of a list of name/value pairs, one to a line. Names are separated from values by colons and whitespace, as in email headers. For example:
Name: com/elharo/awt/Filmstrip.class Java-Bean: true Last-modified: 09-07-2005 Depends-On: com/elharo/io/StreamCopier.class Brad: Majors Digest-Algorithms: MD5 MD5-Digest: XD4578YEEIK9MGX54RFGT7UJUI9810
This manifest defines an entry with the name com/elharo/awt/Filmstrip.class. This entry has six attributes: Java-Bean with the value TRue, Last-modified with the value 09-07-2005, Depends-On with the value com/elharo/io/StreamCopier.class, Brad with the value Majors, and so on. Each of these has a specific meaning in a particular context. For instance, the Java-Bean attribute with the value TRue means that this class is a JavaBean that can be loaded into a visual builder tool. Digest-Algorithms lists the types of message digests computed from the file, and MD5-Digest gives the value of one particular digest. Most of the attributes have application-specific meanings. Applications reading a JAR archive that don't understand a particular attribute should simply ignore it.
The files in the JAR archive may be signed using a digital signature algorithm. Different individuals may sign different files, and more than one person may sign each file. For each file that's signed, the META-INF directory will also contain a signature file. The signatures can be checked when a file is read from a JAR archive. If the signatures no longer match the files, an IOException can be thrown (though this behavior is configurable at the programmer level). If you're interested, the details are available in Java Security by Scott Oaks (O'Reilly).