如何加密.jar文件

Question

我正在一个项目中，我们需要加密.jar文件，所以没有人可以访问jar文件中的.class文件....是否有任何java编码可以帮助我加密.jar文件？

Answer 1

Even if you encrypt the jar file, it must be decrypted before the JVM is able to run it, so you'll need another jar file containing classes that decrypt and loads in the JVM.

Since this second jar file cannot be itself encrypted, a malicious user wanting to see you class files, can simply look at classes in this second jar file, and then decrypt your super-secret jar file and have access to it.

Maybe you can increase security of your code using an obfuscator, but it will eventually protect (make it harder but not impossible) your class files from decompilation, not from being used.

If obfuscation is not enough, you could consider compiling your jar file to a DLL for windows or a SO for unix/linux, that will make it much harder to decompile, but it's not always possible to do that correctly and it's generally a PITA. GCJ is able to do this somehow, and there are other commercial products that will actually compile .class/.jar directly to machine code.

However please consider that it does not matter how much security you put in it, since the client computer MUST be able to execute it, it must be able to read it, so no matter what your code will be exposed, you can only make it harder.

If you really have an algorithm so secret you don't want to disclose no matter what, consider converting it to a web service, hosting it on your server, so that you don't have to send the actual code to the client machines and can also better prevent unauthorized copies of your application by checking access to that vital part of it.

Answer 2

I assume you are aware of the fact that any skilled java coder can reverse-engineer the Java tool you use (or write) and still decode the app's jars? Also writing custom classloaders which read your "encrypted" code can be decompiled and a tool could be written to bypass it.

Even with obfuscation and bytecode modification and custom classloaders, java is hackable/decompileable and the source can almost always be brought to a somewhat readable state.

Answer 3

You want to obfuscate, not encrypt, the jar file.

A popular choice for doing this in Java is ProGuard .

Answer 4

No. Since your program needs to be able to run the code it would be pointless anyway.

You can obfuscate your code though so decompiling the .class files results in less readable code (meaningless variable/class names etc).

Answer 5

As far as I know this is not supported by standard JVM. But you can do the following. Separate your application into 2 parts. First will not be encrypted. It will be a simple loader that will instantiate the rest using custom class loader. This class loader will get Classes as arrays of bytes, decrypt and load them.

Answer 6

如果你在jar中打包 - >只需将其重命名为jarname.ABCD或任何误导扩展名，甚至取消扩展名，并相应地在你的应用程序中指定jar名称。

Answer 7

if you don't want to provide an access to the class files inside the jar, why should you supply your jar with the application? It feels like your question is kind of wrong conceptually...

If you need some custom way of loading the classes, consider to use custom classloader.

Answer 8

i prefer jCrypt ! It is a simple tool where you can crypt the classes(and ressources)