How to use jarsigner to sign JARs files example

Digitally sign JARs with jarsigner

When distributing applications as JAR, EAR or WAR files, it’s a good practice, especially if other users are downloading your archives over the public internet, to digitally sign JAR files with jarsigner.

The jarsigner tool is bundled with every Java JDK install, is found in the JDK’s bin directory, and is likely accessibly directly through a command prompt or terminal window so long as the JDK’s bin directory has been put on your operating system’s PATH.

To sign a JAR with jarsigner, you first need to create a public and private key. The private key will sign the JAR, and the public key will be able to attest to the veracity of the signature.

The JDK’s keytool can be used to create the public and private keys, and have them stored in a local keystore. The command to perform this operation, which requires a variety of details from the user in order to create the key, is as follows:

Digital certificate generation with keytool

[email protected]  /c/ jarsigner / example / target
$ keytool -genkey -alias server -keyalg RSA -keypass password -storepass password -keystore keystore.jksWhat is your first and last name?
[Unknown]: CameronMcKenzie
What is the name of your organizational unit?
[Unknown]: TSS
What is the name of your organization?
[Unknown]: TechTarget
What is the name of your City or Locality?
[Unknown]: Toronto
What is the name of your State or Province?
[Unknown]: ON
What is the two-letter country code for this unit?
[Unknown]: CA
Is CN=CameronMcKenzie, OU=TSS, O=TechTarget, L=Toronto, ST=ON, C=CA correct?
[no]: yes

Java keytool export

With the keys create and stored, export the server certificate to the filesystem so we can use it in the jarsigner’s sign and verify process.

[email protected] /c/ jarsigner / example / target
$ keytool -export -alias server -storepass password -file server.cer -keystore keystore.jks
Certificate stored in file <server.cer>

With the keystore created and the server.cer file on the filesystem, we can then use the jarsigner tool to digitally sign the JAR file. In this case, the JAR file to digitally sign is named spock-lizard-1.0.jar. The name of the digitally signed JAR file will be signedjar.jar. The command to perform this operation is as follows:

Sign a JAR with jarsigner example

The following jarsigner example will use the generated public and private keys to digitally sign the original JAR with the jarsigner command. A new, signed JAR named signedjar.jar will be created.

[email protected] /c/ jarsigner / example / target
$ jarsigner -keystore keystore.jks -signedjar signedjar.jar spock-lizard-1.0.jar server
Enter Passphrase for keystore: password
jar signed.
Warning: The signer's certificate is self-signed.

Verify a signed JAR file

Finally, with the digitally signed JAR created, you can use the jarsigner tool to verify the signature:

[email protected] /c/ jarsigner / example / target
$ jarsigner -verify signedjar.jar

jar verified.
How jarsigner signs JAR files

This jarsigner example creates a new keystore, exports a digital certificate and creates a new JAR that is digitally signed.

Digitally sign JARs with jarsigner

In review, the steps to digitally sign JAR files with jarsigner, assuming you have Java installed, are:

  1. Create a JAR file with Java’s JAR utility
  2. Create public and private keys with Java’s keytool
  3. Export the server-side digital certificate with the keytool
  4. Use the jarsigner tool to sign the JAR file digitally
  5. Use the jarsigner command’s -verify switch to validate the JAR file signing operation

With your JAR files digitally signed with jarsigner, your clients will be confident that the files they run on their local VMs are indeed distributed by a vendor they trust.


App Architecture
Software Quality
Cloud Computing