I want to configure the jdk so that if I were to do java -jar myjar.jar then myjar would only execute if it has been signed (by a particular signer). I found this answer but I’m not sure editing policy files is the solution. From my understanding by reading here, it seems that you can only grant/restrict permissions for apps to read/write certain targets, not grant/restrict permission for the app itself to run. For example, using an example from the policy files docs, I can add

  grant signedBy "Duke" {
      permission java.io.FilePermission "/tmp/*", "read,write";

to allow jars signed by “Duke” to read/write files in /tmp/ but I can’t add a restriction so that only jars signed by “Duke” may run in the first place.

I’m aware of the ability to use jarsigner -verify to verify the jars but I’m hoping for a solution that configures the Java runtime itself. Is there a way to achieve this using policy files or some other way?