Hi,
The tutorial at the site http://java.sun.com/docs/books/tutorial/security1.2/toolfilex/rstep2.html
says that the contract is verified once the certificate is imported by the receiver and is verified using jarsigner. But the jarsigner only verifies the signature present on the jar file. It does not match it with the certificate present in the keystore. So even if I donot import the certificate, the result is still->jar verified. This is true even if the receiver does not have ANY keystore. jarsigner does not verify the person who has signed it. Infact, if the contract is hacked in between, changed, original signature files deleted and signed by any key with the same alias, the jar will still say VERIFIED. So this is not the way to send contract files securely. ..........