Hi all,
in order to build a proof-of-concepts of a MITB attack (man in the browser) I need to un-sign a signed applet, in order to tamper it on the fly.

The question is therefore on how to transform a signed applet into a not signed one. BTW, the class files are not obfuscated.

What I read around the net is that it seems to be enough to remove the MANIFEST and *.RSA files inside the META-INF\ folder. Or rather eliminate that folder directly. This is what I found in the documentation, but actually it seems not to be enough. The JVM still complains that the jar file is not properly signed and refuses to execute my tampered jar file. Even jarsigner reports that the tampered jar has some problems with the signature (tested on a really not signed jar it correctly says that it's not signed, but on my tampered jar it reports an error). Clearly removing the META-INF folder is not enough!

So the question is, what is really needed to fully un-sign an already signed jar applet?

I think the process is almost the same for apk android files as far as I understand..

Thanks for replies.