Skip to main content
Skip table of contents

Using Signum with Jarsigner

Linux

This guide assumes the Signum Linux Agent, Windows Agent and Java have been installed and configured.

Configuration File

Create a configuration file, keyfactorpkcs11.cfg with the below properties.

CODE
name = KeyfactorPKCS11
library = /usr/lib/libkeyfactorpkcs11.so
description = Keyfactor PKCS#11 interface for SmartCard

List the Key Objects

Use keytool to list the keys from the Keyfactor Signum PKCS11 provider:

CODE
Demo@Ubuntu:~/java-demo$ keytool -list -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/keyfactor/keyfactorpkcs11.cfg
Enter keystore password:
Keystore type: PKCS11
Keystore provider: SunPKCS11-KeyfactorPKCS11

Your keystore contains 1 entry

EB5686646CD1971792C881AA87E0F2DB2B81FD4C - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 29:EE:31:18:C7:1A:4C:5C:41:8C:47:40:B1:90:84:00:36:EB:2D:D4:C1:D1:75:F1:89:07:D6:70:34:FC:3F:80

Signing with Jarsigner

CODE
jarsigner -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/keyfactor/keyfactorpkcs11.cfg -tsa http://signserver.com/signserver/process?workerName=TimeStampSigner HelloWorld.jar 'EB5686646CD1971792C881AA87E0F2DB2B81FD4C - Certificate'

Enter Passphrase for keystore:
jar signed.

The signer certificate will expire on 2027-10-04.
The timestamp will expire on 2031-04-26.

 Verifying with Jarsigner

CODE
jarsigner -verify -verbose HelloWorld.jar

s        183 Thu Oct 19 18:39:18 UTC 2023 META-INF/MANIFEST.MF
         336 Thu Oct 19 18:39:20 UTC 2023 META-INF/EB568664.SF
        4324 Thu Oct 19 18:39:20 UTC 2023 META-INF/EB568664.RSA
           0 Thu Oct 19 12:47:52 UTC 2023 META-INF/
           0 Thu Oct 19 12:47:52 UTC 2023 com/
           0 Thu Oct 19 12:47:52 UTC 2023 com/example/
           0 Thu Oct 19 12:47:52 UTC 2023 com/example/helloworld/
sm       581 Thu Oct 19 12:47:52 UTC 2023 com/example/helloworld/HelloWorld.class

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

- Signed by "CN=Demo"
    Digest algorithm: SHA-256
    Signature algorithm: SHA384withRSA, 4096-bit key
  Timestamped by "CN=Ben-Final-TSA" on Thu Oct 19 18:39:20 UTC 2023
    Timestamp digest algorithm: SHA-256
    Timestamp signature algorithm: SHA256withRSA, 2048-bit key

jar verified.

The signer certificate will expire on 2027-10-04.
The timestamp will expire on 2031-04-26.

Windows

Signing with Jarsigner

CODE
PS C:\Users\user\Desktop\demo> jarsigner -storetype Windows-MY -tsa http://signserver.com/signserver/process?workerName=TimeStampSigner .\HelloWorld.jar "Demo"
jar signed.

The signer certificate will expire on 2027-10-04.
The timestamp will expire on 2031-04-26.

 

Verifying with Jarsigner

CODE
PS C:\Users\user\Desktop\demo> jarsigner -verify .\HelloWorld.jar

jar verified.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.