LLMpediaThe first transparent, open encyclopedia generated by LLMs

JAR (file format)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Java Virtual Machine Hop 4
Expansion Funnel Raw 86 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted86
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
JAR (file format)
JAR (file format)
David Vignoni / ICON KING · LGPL · source
NameJAR
Extension.jar
Mimeapplication/java-archive
OwnerOracle Corporation
Type codeARCHIVE
Container forJava Platform, Standard Edition classes, resources, metadata

JAR (file format) is a package file format used to aggregate multiple Java class files, associated metadata, and resources into a single archive. Originating with Sun Microsystems and standardized during the evolution of Java SE, the format builds on the ZIP container and integrates with the JVM and JRE to simplify distribution and deployment. JAR files have been adopted across ecosystem tools such as Apache Ant, Maven, Gradle, and are recognized by platforms like Android and servers running Apache Tomcat or GlassFish.

Overview

A JAR bundles class bytecode, images, configuration, and auxiliary files for delivery to environments running a JVM implementation such as HotSpot or OpenJ9. It leverages the ZIP compression scheme defined by the ZIP File Format Specification and augments archives with a standardized manifest consumed by java.lang.Package and java.util.jar.JarFile APIs. The format supports signing mechanisms tied to JCA and X.509 certificate chains, which integrate with frameworks like JAAS and deployment systems including Java Web Start and OSGi.

Format and structure

Internally, a JAR is a sequence of ZIP entries with a particular directory layout and an optional META-INF directory. Files commonly include compiled .class files produced by compilers such as javac or ECJ, resource bundles for i18n with tools like GNU gettext alternatives, and libraries packaged as dependencies managed by Apache Maven or Apache Ivy. The META-INF directory holds manifest files, digital signatures created by jarsigner (part of the JDK), and service loader descriptors recognized by java.util.ServiceLoader. The archive adheres to ZIP central directory structures compatible with utilities like Info-ZIP, 7-Zip, and operating system tools in Microsoft Windows, macOS, and Linux distributions.

Manifest and metadata

The JAR manifest, typically META-INF/MANIFEST.MF, conforms to the Java Archive Specification and exposes attributes such as Main-Class, Class-Path, and versioning headers used by semver conventions in build systems like Apache Maven and Gradle. Manifests facilitate executable JARs runnable via the java launcher, enable multi-release JAR behavior recognized by JEP 238 and JEP 320 in later OpenJDK releases, and provide metadata consumed by modular systems such as JPMS (introduced by JDK 9) and by OSGi bundle descriptors. Digital signature files (*.SF) and block *.RSA or *.DSA files in META-INF implement code signing interoperable with PKCS #7 and tools like OpenSSL.

Creation and tooling

Common tooling to create and inspect JARs includes the JDK's jar utility, build systems like Apache Ant, Maven, Gradle, and IDEs such as Eclipse, IntelliJ IDEA, and NetBeans. Continuous integration platforms like Jenkins, Travis CI, and GitLab CI automate packaging with dependency coordinates resolved via repositories like Maven Central and JFrog Artifactory. Third-party utilities such as ProGuard perform shrinking and obfuscation on JAR contents, while repackagers like Spring Boot's loader create executable fat JARs bundling transitive dependencies for deployment on platforms including Heroku and container runtimes orchestrated by Kubernetes.

Usage and execution

Executable JARs specify Main-Class in the manifest and are launched by the java launcher on implementations including OpenJDK and proprietary JREs. JARs can be placed on the classpath, loaded by class loaders such as URLClassLoader or custom loaders in application servers like JBoss/WildFly and GlassFish, and referenced by Class-Path entries to resolve transitive JAR dependencies. Enterprise systems use JARs inside WAR and EAR archives defined by Jakarta EE (formerly Java EE), while client applications use JARs for plugins in platforms like Eclipse RCP and NetBeans Platform.

Security considerations

Because JARs contain executable bytecode, they pose risks similar to other binary packages; signing with X.509 certificates via jarsigner and JCA helps establish provenance and integrity. Class loader isolation mitigates risks exploited by supply chain attacks exemplified in incidents affecting ecosystems like NPM and PyPI, while secure deployment practices reference standards from organizations such as OWASP. Sandboxing via security managers (deprecated in recent OpenJDK roadmaps) and module boundaries enforced by JPMS reduce attack surface, and vulnerability scanning with tools like OWASP Dependency-Check or Snyk integrates with registries like Maven Central to detect CVEs.

Compatibility and variants

Variants include fat (uber) JARs produced by Spring Boot or Shade Plugin for Maven and multi-release JARs addressing multiple Java SE release levels under JEP 238. Android uses a distinct conversion path producing DEX bytecode via dx or D8 tools and packaging into APKs processed by aapt2 for distribution through Google Play. Modular JARs interact with JPMS module-info.class metadata introduced in JDK 9, and OSGi bundles add manifest headers standardized by the OSGi Alliance. Backward compatibility is maintained across OpenJDK and vendor distributions such as Oracle JDK and Amazon Corretto.

Category:Java platform