Digitally sign JARs with jarsigner
When distributing applications as JAR, EAR or WAR files, it’s a good practice, especially if other users are downloading your archives over the public internet, to digitally sign JAR files with jarsigner.
The jarsigner tool is bundled with every JDK installation, is found in the JDK’s bin directory, and is likely accessibly directly through a command prompt or terminal window so long as the JDK’s bin directory has been put on your operating system’s PATH.
To sign a JAR with jarsigner, you first need to create a public and private key. The private key will sign the JAR, and the public key will be able to attest to the veracity of the signature.
The JDK’s keytool can be used to create the public and private keys, and have them stored in a local keystore. The command to perform this operation, which requires a variety of details from the user in order to create the key, is as follows:
Digital certificate generation with keytool
[email protected] /c/ jarsigner / example / target $ keytool -genkey -alias server -keyalg RSA -keypass password -storepass password -keystore keystore.jksWhat is your first and last name? [Unknown]: CameronMcKenzie What is the name of your organizational unit? [Unknown]: TSS What is the name of your organization? [Unknown]: TechTarget What is the name of your City or Locality? [Unknown]: Toronto What is the name of your State or Province? [Unknown]: ON What is the two-letter country code for this unit? [Unknown]: CA Is CN=CameronMcKenzie, OU=TSS, O=TechTarget, L=Toronto, ST=ON, C=CA correct? [no]: yes
Java keytool export
With the keys create and stored, export the server certificate to the filesystem so we can use it in the jarsigner’s sign and verify process.
[email protected] /c/ jarsigner / example / target $ keytool -export -alias server -storepass password -file server.cer -keystore keystore.jks Certificate stored in file <server.cer>
With the keystore created and the server.cer file on the filesystem, we can then use the jarsigner tool to digitally sign the JAR file. In this case, the JAR file to digitally sign is named spock-lizard-1.0.jar. The name of the digitally signed JAR file will be signedjar.jar. The command to perform this operation is as follows:
Sign a JAR with jarsigner example
The following jarsigner example will use the generated public and private keys to digitally sign the original JAR with the jarsigner command. A new, signed JAR named signedjar.jar will be created.
[email protected] /c/ jarsigner / example / target $ jarsigner -keystore keystore.jks -signedjar signedjar.jar spock-lizard-1.0.jar server Enter Passphrase for keystore: password jar signed. Warning: The signer's certificate is self-signed.
Verify a signed JAR file
Finally, with the digitally signed JAR created, you can use the jarsigner tool to verify the signature:
[email protected] /c/ jarsigner / example / target $ jarsigner -verify signedjar.jar jar verified.
Digitally sign JARs with jarsigner
In review, the steps to digitally sign JAR files with jarsigner are:
- Create a JAR file with Java’s JAR utility
- Create public and private keys with Java’s keytool
- Export the server-side digital certificate with the keytool
- Use the jarsigner tool to sign the JAR file digitally
- Use the jarsigner command’s -verify switch to validate the JAR file signing operation
With your JAR files digitally signed with jarsigner, your clients will be confident that the files they run on their local VMs are indeed distributed by a vendor they trust.