...
Depending on how the client code works, signatures may or may not be automatically checked programatically. For example, any instances of URLClassLoader and its subclasses and java.util.jar automatically verify a signature whenever the JAR file is signed. If however, the developer implements a custom classloader that goes on to subclass java.lang.ClassLoader, this step is not performed automatically. Moreover, in the URLClassLoader case, the automatic verification just involves an integrity check and does not authenticate the loaded class. This is because the check uses a public key that is contained within the JAR. The legit legitimate JAR file may be replaced with a malicious JAR file containing a different public key and digest values.
...