Using Signum with Jarsigner
Linux
This guide assumes the Signum Linux Agent, Windows Agent and Java have been installed and configured.
Configuration File
Create a configuration file, keyfactorpkcs11.cfg with the below properties.
name = KeyfactorPKCS11
library = /usr/lib/libkeyfactorpkcs11.so
description = Keyfactor PKCS#11 interface for SmartCard
List the Key Objects
Use keytool to list the keys from the Keyfactor Signum PKCS11 provider:
Demo@Ubuntu:~/java-demo$ keytool -list -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/keyfactor/keyfactorpkcs11.cfg
Enter keystore password:
Keystore type: PKCS11
Keystore provider: SunPKCS11-KeyfactorPKCS11
Your keystore contains 1 entry
EB5686646CD1971792C881AA87E0F2DB2B81FD4C - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 29:EE:31:18:C7:1A:4C:5C:41:8C:47:40:B1:90:84:00:36:EB:2D:D4:C1:D1:75:F1:89:07:D6:70:34:FC:3F:80
Signing with Jarsigner
jarsigner -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/keyfactor/keyfactorpkcs11.cfg -tsa http://signserver.com/signserver/process?workerName=TimeStampSigner HelloWorld.jar 'EB5686646CD1971792C881AA87E0F2DB2B81FD4C - Certificate'
Enter Passphrase for keystore:
jar signed.
The signer certificate will expire on 2027-10-04.
The timestamp will expire on 2031-04-26.
Verifying with Jarsigner
jarsigner -verify -verbose HelloWorld.jar
s 183 Thu Oct 19 18:39:18 UTC 2023 META-INF/MANIFEST.MF
336 Thu Oct 19 18:39:20 UTC 2023 META-INF/EB568664.SF
4324 Thu Oct 19 18:39:20 UTC 2023 META-INF/EB568664.RSA
0 Thu Oct 19 12:47:52 UTC 2023 META-INF/
0 Thu Oct 19 12:47:52 UTC 2023 com/
0 Thu Oct 19 12:47:52 UTC 2023 com/example/
0 Thu Oct 19 12:47:52 UTC 2023 com/example/helloworld/
sm 581 Thu Oct 19 12:47:52 UTC 2023 com/example/helloworld/HelloWorld.class
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
- Signed by "CN=Demo"
Digest algorithm: SHA-256
Signature algorithm: SHA384withRSA, 4096-bit key
Timestamped by "CN=Ben-Final-TSA" on Thu Oct 19 18:39:20 UTC 2023
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA256withRSA, 2048-bit key
jar verified.
The signer certificate will expire on 2027-10-04.
The timestamp will expire on 2031-04-26.
Windows
Signing with Jarsigner
PS C:\Users\user\Desktop\demo> jarsigner -storetype Windows-MY -tsa http://signserver.com/signserver/process?workerName=TimeStampSigner .\HelloWorld.jar "Demo"
jar signed.
The signer certificate will expire on 2027-10-04.
The timestamp will expire on 2031-04-26.
Verifying with Jarsigner
PS C:\Users\user\Desktop\demo> jarsigner -verify .\HelloWorld.jar
jar verified.