Is it possible to have SHA1-Digest in java Manifest file without actually using a key

Question

Currently we use jarsigner to sign our jar. We then display some SHA1-Digest values for some specific classes to prove to an external auditor that the code has not changed b

Answer 1

Signature verification will fail...

Why?

JAR File Verification -> Verify the signature of the .SF file itself.

That is, the verification ensures that the signature stored in each signature block (.DSA) file was in fact generated using the private key corresponding to the public key whose certificate (or certificate chain) also appears in the .DSA file. It also ensures that the signature is a valid signature of the corresponding signature (.SF) file, and thus the .SF file has not been tampered with.

For more info http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html