How to read archive signing info online in your browser
- Step 1Open the tool — Visit /archive-tools/archive-signing-info. Read Signing Info is a Pro-tier tool, so sign in to a Pro plan or higher before running it.
- Step 2Drop one archive — Drag a single
.jar,.apk,.aar,.zip, or other supported container into the dropzone. The tool reads one file at a time; it does not accept folders or batches. - Step 3Let it extract — The tool detects the format from magic bytes and extracts entries with fflate, zip.js, or libarchive WASM. Encrypted entries are not auto-decrypted here — password-protected ZIPs will not extract.
- Step 4Scan for JAR artifacts — It checks for
META-INF/MANIFEST.MF. If present, it reports a JAR-style archive and lists every signing file matchingMETA-INF/*.(RSA|DSA|EC|SF). - Step 5Scan for the APK block — It reads the bytes immediately before the ZIP central directory and looks for the
APK Sig Blockmagic, reporting an APK Signing Block (v2/v3) if found. - Step 6Read the JSON report — The result panel shows the
Findingscount and a Download button. The file is<name>-signing.jsoncontaining{ filename, findings: [...] }. If nothing matched,findingsis["No digital signature found."].
What Read Signing Info detects (and what it does not)
The tool is a signing-artifact detector, not a verifier. These are the exact checks in the processor — nothing more is parsed.
| Signing scheme | How it is detected | Reported finding | Verified? |
|---|---|---|---|
| JAR signing (v1 / APK v1) | Presence of META-INF/MANIFEST.MF | "Found META-INF/MANIFEST.MF — JAR-style archive." | No — presence only |
| JAR signature files | Filenames matching META-INF/*.(RSA|DSA|EC|SF) | "Signing files: a.RSA, a.SF, ..." | No — names listed, not parsed |
| APK Signing Block (v2/v3) | APK Sig Block magic in the 16 bytes before the central directory | "APK Signing Block detected (Android v2/v3 signature)." | No — magic only, no v2 vs v3 split |
| Unsigned archive | None of the above matched | "No digital signature found." | n/a |
| ZIP 0x0065 / PKCS#7 extra field | Not implemented in this tool | Not reported | Out of scope — use openssl |
| Certificate / signer identity | Not parsed | Not reported | Out of scope — use jarsigner / apksigner |
Supported input formats and tier limits
Read Signing Info requires a Pro plan minimum. Limits are the archive-family caps; the per-archive entry-count cap matters as much as file size.
| Tier | Max file size | Max entries / archive | Batch files | Read Signing Info? |
|---|---|---|---|---|
| Free | 50 MB | 500 | 1 | Not available (Pro minimum) |
| Pro | 500 MB | 50,000 | 20 | Yes — minimum tier |
| Pro-Media | 2 GB | 500,000 | 100 | Yes |
| Developer | 2 GB | 500,000 | unlimited | Yes |
| Enterprise | unlimited | unlimited | unlimited | Yes |
Cookbook
Real <name>-signing.json reports for the four outcomes you will actually see. The JSON shape is always { "filename": ..., "findings": [...] }.
A signed JAR
A standard signed Java library. The tool finds the manifest and lists the signer block + signature file. It does not check that the digests in the .SF match the entries — that is verification, which jarsigner -verify does.
Input: commons-lang3-3.14.0.jar (signed)
Report: commons-lang3-3.14.0-signing.json
{
"filename": "commons-lang3-3.14.0.jar",
"findings": [
"Found META-INF/MANIFEST.MF — JAR-style archive.",
"Signing files: META-INF/SIGNER.SF, META-INF/SIGNER.RSA"
]
}A v2/v3-signed APK
A release APK signed with the APK Signature Scheme v2 or v3. The tool detects the signing block by its magic; it cannot tell you v2 from v3, the signer certificate, or whether the signature is valid.
Input: app-release.apk (v2 signed)
Report: app-release-signing.json
{
"filename": "app-release.apk",
"findings": [
"Found META-INF/MANIFEST.MF — JAR-style archive.",
"Signing files: META-INF/CERT.SF, META-INF/CERT.RSA",
"APK Signing Block detected (Android v2/v3 signature)."
]
}An unsigned ZIP
A plain ZIP of source or assets. No META-INF/MANIFEST.MF, no APK block — exactly what you expect for the vast majority of ZIPs.
Input: project-assets.zip
Report: project-assets-signing.json
{
"filename": "project-assets.zip",
"findings": [
"No digital signature found."
]
}A JAR with a manifest but no signature
Many JARs carry META-INF/MANIFEST.MF (build metadata) without being signed. The tool reports the manifest but no signing files — a useful distinction.
Input: my-app.jar (built, not signed)
Report: my-app-signing.json
{
"filename": "my-app.jar",
"findings": [
"Found META-INF/MANIFEST.MF — JAR-style archive."
]
}An AAR (Android library)
An .aar is a ZIP container. The tool extracts it like any ZIP and reports whatever signing artifacts are inside — usually none, since AARs are signed at the consuming APK level.
Input: ui-widgets.aar
Report: ui-widgets-signing.json
{
"filename": "ui-widgets.aar",
"findings": [
"No digital signature found."
]
}Edge cases and what actually happens
File over your tier size cap
Tier limit exceededPro caps inputs at 500 MB, Pro-Media and Developer at 2 GB. An APK or JAR over the cap is rejected before extraction. Upgrade the tier or strip large assets first.
Archive over the entry-count cap
Tier limit exceededThere is a per-archive entry limit too — 50,000 on Pro, 500,000 above. A fat fat-JAR with hundreds of thousands of classes can hit it even under the size cap.
Password-protected ZIP
Extraction failedRead Signing Info calls the extractor without a password. Encrypted entries cannot be read, so signing detection cannot run. Confirm encryption first with Encrypted Archive Detector.
Manifest present, no signature
By designMETA-INF/MANIFEST.MF exists in almost every JAR, signed or not. The tool reports the manifest separately from signing files, so a manifest-only finding correctly means "not signed".
APK with v2/v3 but stripped META-INF
SupportedPure v2/v3 APKs may lack JAR-style .RSA/.SF files. The APK Signing Block check still fires from the magic bytes, so the APK is still flagged as signed.
Renamed extension (.zip that is really .rar)
SupportedDetection uses magic bytes, not the extension. A .zip that is actually a RAR is routed to libarchive WASM and extracted correctly. Confirm with Auto-Format Detector if unsure.
Truncated / corrupt central directory
Extraction failedIf the ZIP EOCD or central directory is damaged, extraction fails and the APK-block check (which reads relative to the central-directory offset) cannot run. Try Corrupted ZIP Repair first.
Wanting the certificate or validity verdict
Out of scopeThis tool never parses certificates or checks digests. For a real verdict use jarsigner -verify -verbose -certs, apksigner verify --print-certs, or openssl pkcs7 -inform DER -print_certs.
Tar / 7z that contains a JAR
Reads outer containerThe tool extracts the outer archive and scans its top-level entries. A JAR nested inside a tar is an entry, not the scanned container, so its inner META-INF is not detected — extract the JAR first.
Frequently asked questions
Does Read Signing Info upload my file?
No. The archive is read from disk with the File API and extracted in your browser via fflate, @zip.js/zip.js, or libarchive WASM. Open DevTools → Network during a run and you will see no outbound request carrying your file.
Is this a free tool?
No — Read Signing Info has a Pro minimum tier. The Pro plan covers files up to 500 MB and 50,000 entries per archive, which fits essentially every JAR and APK.
What exactly does it detect?
Two things: JAR signing artifacts (META-INF/MANIFEST.MF plus any META-INF/*.RSA/.DSA/.EC/.SF) and the Android APK Signing Block (v2/v3) by its magic bytes. Nothing else is parsed.
Does it verify the signature?
No. It detects presence and filenames only. It does not read certificates, check digests, or validate a trust chain. Use jarsigner -verify, apksigner verify, or openssl for real verification.
What output do I get?
A JSON file named <name>-signing.json containing { filename, findings: [...] }. It is a report, not a rebuilt archive — the tool never modifies or re-emits your input.
Can it tell APK v2 from v3?
No. It only checks for the APK Sig Block magic and reports "v2/v3" generically. To distinguish them, run apksigner verify --verbose.
Which formats can it read?
ZIP, JAR, APK, AAR, GZIP, and TAR natively, plus 7z, RAR, BZ2, and XZ through libarchive WASM. The APK-block check requires a ZIP-structured container; the manifest check works on any extractable container.
Why does my password-protected APK fail?
Read Signing Info does not pass a password to the extractor, so encrypted entries cannot be decrypted. APKs are normally not encrypted; if yours is, decrypt it elsewhere first.
Can I batch many JARs at once?
No. This tool processes one file per run. For bulk archive analysis look at Batch Compression Report or the Archive Metadata Extractor for per-entry detail.
Does a manifest mean the archive is signed?
No. META-INF/MANIFEST.MF is present in nearly all JARs. Signing requires the .SF + .RSA/.DSA/.EC files, which the tool lists separately. Manifest-only means not signed.
Will it work offline?
After the page and WASM chunks load, the detection runs locally. A reload while offline may fail to fetch the libarchive WASM chunk, which is needed for 7z/rar/bz2/xz inputs.
What if I need certificate details?
This tool intentionally stops at detection. Pair it with command-line keytool -printcert -jarfile app.jar or apksigner verify --print-certs app.apk, then attach the <name>-signing.json to your ticket as the quick presence check.
Privacy first
Every JAD Archive tool runs entirely in your browser using fflate, @zip.js/zip.js, and the libarchive WASM bridge. Your archives never leave your device — verified by zero outbound network requests during processing.