.png){kind=logo}
Using Signum with Jarsigner
Linux
This guide assumes the Signum Linux Agent, Windows Agent and Java have been installed and configured.
Configuration File
Create a configuration file, keyfactorpkcs11.cfg with the below properties.
CODE
name = KeyfactorPKCS11
library = /usr/lib/libkeyfactorpkcs11.so
description = Keyfactor PKCS#11 interface for SmartCardList the Key Objects
Use keytool to list the keys from the Keyfactor Signum PKCS11 provider.
CODE
keytool -list -storetype PKCS11 -storepass NONE -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/keyfactor/keyfactorpkcs11.cfg
CODE
Keystore type: PKCS11
Keystore provider: SunPKCS11-KeyfactorPKCS11
Your keystore contains 4 entries
170570A1D56FBB5A4CC780B69ACAEF94010D5DAA - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 1C:3B:0B:5E:B7:7F:29:29:87:4E:7D:BC:77:11:D9:7F:FF:06:0B:C3:F2:F9:DE:02:8E:72:C6:87:4E:CE:B2:94
3AB5BFB91DFBB46CF765D5BEE51429618C4857DD - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 97:58:8B:1B:C4:D5:19:3C:C6:5F:3F:4A:73:11:53:17:98:D4:A7:E9:FD:A3:3D:88:B0:9F:09:EB:77:D9:23:F0
DE0BB605AC697DF1A99A3C675BC03DF0B83F49D0 - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 88:A0:C7:2B:6B:F6:3B:61:4C:4D:49:AB:CD:2F:C7:6A:B2:4F:50:63:27:B1:74:15:87:34:72:54:69:54:F1:A4
F78AE7871FEF1D0CF3EFFB58E9CC85F261438D2B - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): B4:D6:B2:C1:B9:A0:4A:55:D4:7B:37:AD:C2:3F:D3:7A:B0:77:60:B5:B3:30:87:11:8A:F4:26:2F:D4:2F:B7:89Signing
CODE
jarsigner -verbose -certs -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /home/user/keyfactorpkcs11.cfg -storepass NONE -tsa REPLACE-WITH-TSA-URL -signedjar HelloWorld-signed.jar HelloWorld-unsigned.jar "3AB5BFB91DFBB46CF765D5BEE51429618C4857DD - Certificate"
CODE
requesting a signature timestamp
TSA location: TSA-URL
updating: META-INF/MANIFEST.MF
adding: META-INF/3AB5BFB9.SF
adding: META-INF/3AB5BFB9.RSA
signing: com/example/helloworld/HelloWorld.class
>>> Signer
X.509, CN=Signum-RSA-4096
Signature algorithm: SHA256withRSA, 4096-bit key
[certificate is valid from 4/24/24, 2:29 AM to 4/23/29, 2:29 AM]
>>> TSA
X.509, CN=TSACert
Signature algorithm: SHA256withRSA, 2048-bit key
[certificate is valid from 4/25/24, 6:52 PM to 4/23/34, 6:52 PM]
X.509, O=ejbca, OU=0975a4d7-e1d5-4c66-a9bb-908ce3af5113, CN=BenDemoRoot-G2
Signature algorithm: SHA256withRSA, 4096-bit key
[trusted certificate]
jar signed.
The signer certificate will expire on 2029-04-23.
The timestamp will expire on 2034-04-23.Verification
CODE
jarsigner -verify -verbose HelloWorld.jar
s 183 Thu Oct 19 18:39:18 UTC 2023 META-INF/MANIFEST.MF
336 Thu Oct 19 18:39:20 UTC 2023 META-INF/EB568664.SF
4324 Thu Oct 19 18:39:20 UTC 2023 META-INF/EB568664.RSA
0 Thu Oct 19 12:47:52 UTC 2023 META-INF/
0 Thu Oct 19 12:47:52 UTC 2023 com/
0 Thu Oct 19 12:47:52 UTC 2023 com/example/
0 Thu Oct 19 12:47:52 UTC 2023 com/example/helloworld/
sm 581 Thu Oct 19 12:47:52 UTC 2023 com/example/helloworld/HelloWorld.class
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
- Signed by "CN=Demo"
Digest algorithm: SHA-256
Signature algorithm: SHA384withRSA, 4096-bit key
Timestamped by "CN=SignServer-TSA" on Thu Oct 19 18:39:20 UTC 2023
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA256withRSA, 2048-bit key
jar verified.
The signer certificate will expire on 2027-10-04.
The timestamp will expire on 2031-04-26.Windows using KSP
Make sure the Windows Agent has been installed and a user is logged in with a policy granting access to a signing certificate. If including the -certchain property from jarsigner ensure that the certificates are in the correct order with leaf certificates first followed by intermediate and then root.
Signing
Change the storetype to “Windows-MY-LOCALMACHINE” if using the agent in Server mode or targeting the LocalMachine certificate store. “Signum-RSA-4096” is the Windows friendly name of the certificate in Signum this can be changed by editing the Certificate Alias in the Signum Administration Console.
CODE
jarsigner -verbose -certs -storetype Windows-MY -tsa REPLACE-WITH-TSA-URL -signedjar .\HelloWorld-signed.jar .\HelloWorld-unsigned.jar "Signum-RSA-4096"
CODE
requesting a signature timestamp
TSA location: TSA-URL
updating: META-INF/MANIFEST.MF
adding: META-INF/SIGNUM-R.SF
adding: META-INF/SIGNUM-R.RSA
adding: com/
adding: com/example/
adding: com/example/helloworld/
signing: com/example/helloworld/HelloWorld.class
>>> Signer
X.509, CN=Signum-RSA-4096
Signature algorithm: SHA256withRSA, 4096-bit key
[certificate is valid from 4/24/24, 2:29 AM to 4/23/29, 2:29 AM]
X.509, O=benejbca, OU=0975a4d7-e1d5-4c66-a9bb-908ce3af5113, CN=DemoRoot-G2
Signature algorithm: SHA256withRSA, 4096-bit key
[trusted certificate]
>>> TSA
X.509, CN=BenTSACert
Signature algorithm: SHA256withRSA, 2048-bit key
[certificate is valid from 4/25/24, 6:52 PM to 4/23/34, 6:52 PM]
X.509, O=benejbca, OU=0975a4d7-e1d5-4c66-a9bb-908ce3af5113, CN=DemoRoot-G2
Signature algorithm: SHA256withRSA, 4096-bit key
[trusted certificate]
jar signed.
The signer certificate will expire on 2029-04-23.
The timestamp will expire on 2034-04-23.Verification
CODE
jarsigner -verify -verbose .\HelloWorld-signed.jar
CODE
s 183 Thu Jun 27 20:44:30 UTC 2024 META-INF/MANIFEST.MF
340 Thu Jun 27 20:44:30 UTC 2024 META-INF/SIGNUM-R.SF
7365 Thu Jun 27 20:44:30 UTC 2024 META-INF/SIGNUM-R.RSA
0 Thu Oct 19 12:47:52 UTC 2023 META-INF/
0 Thu Oct 19 12:47:52 UTC 2023 com/
0 Thu Oct 19 12:47:52 UTC 2023 com/example/
0 Thu Oct 19 12:47:52 UTC 2023 com/example/helloworld/
sm 581 Thu Oct 19 12:47:52 UTC 2023 com/example/helloworld/HelloWorld.class
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
- Signed by "CN=Signum-RSA-4096"
Digest algorithm: SHA-256
Signature algorithm: SHA384withRSA, 4096-bit key
Timestamped by "CN=SignServer-TSA" on Thu Jun 27 20:44:31 UTC 2024
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA256withRSA, 2048-bit key
jar verified.
The signer certificate will expire on 2029-04-23.
The timestamp will expire on 2034-04-23.Windows using PKCS11
An alternative to using Microsofts Cryptographic APIs is to instead use the Signum PKCS11 provider in Windows which functions in a similar fashion to Linux.
Configuration File
Create a configuration file, keyfactorpkcs11.cfg with the below properties.
CODE
name = KeyfactorPKCS11
library = C:\Windows\System32\KeyfactorPkcs11.dll
description = Keyfactor PKCS#11 interface for SmartCardList the Key Objects
Use Java’s keytool to list the keys from the Keyfactor Signum PKCS11 provider. Make sure to include the path to your configuration file if in a different directory.
CODE
keytool -list -storetype PKCS11 -storepass NONE -providerClass sun.security.pkcs11.SunPKCS11 -providerArg keyfactorpkcs11.cfgWill return the key objects that are accesible to the logged in user.
CODE
Keystore type: PKCS11
Keystore provider: SunPKCS11-KeyfactorPKCS11
Your keystore contains 4 entries
170570A1D56FBB5A4CC780B69ACAEF94010D5DAA - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 1C:3B:0B:5E:B7:7F:29:29:87:4E:7D:BC:77:11:D9:7F:FF:06:0B:C3:F2:F9:DE:02:8E:72:C6:87:4E:CE:B2:94
3AB5BFB91DFBB46CF765D5BEE51429618C4857DD - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 97:58:8B:1B:C4:D5:19:3C:C6:5F:3F:4A:73:11:53:17:98:D4:A7:E9:FD:A3:3D:88:B0:9F:09:EB:77:D9:23:F0
DE0BB605AC697DF1A99A3C675BC03DF0B83F49D0 - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 88:A0:C7:2B:6B:F6:3B:61:4C:4D:49:AB:CD:2F:C7:6A:B2:4F:50:63:27:B1:74:15:87:34:72:54:69:54:F1:A4
F78AE7871FEF1D0CF3EFFB58E9CC85F261438D2B - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): B4:D6:B2:C1:B9:A0:4A:55:D4:7B:37:AD:C2:3F:D3:7A:B0:77:60:B5:B3:30:87:11:8A:F4:26:2F:D4:2F:B7:89Signing
CODE
jarsigner -verbose -certs -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg keyfactorpkcs11.cfg -storepass NONE -tsa REPLACE-WITH-TSA-URL -signedjar HelloWorld-signed.jar HelloWorld.jar "3AB5BFB91DFBB46CF765D5BEE51429618C4857DD - Certificate"
CODE
requesting a signature timestamp
TSA location: TSA-URL
updating: META-INF/MANIFEST.MF
adding: META-INF/3AB5BFB9.SF
adding: META-INF/3AB5BFB9.RSA
signing: com/example/helloworld/HelloWorld.class
>>> Signer
X.509, CN=Signum-RSA-4096
Signature algorithm: SHA256withRSA, 4096-bit key
[certificate is valid from 4/24/24, 2:29 AM to 4/23/29, 2:29 AM]
>>> TSA
X.509, CN=TSACert
Signature algorithm: SHA256withRSA, 2048-bit key
[certificate is valid from 4/25/24, 6:52 PM to 4/23/34, 6:52 PM]
X.509, O=ejbca, OU=0975a4d7-e1d5-4c66-a9bb-908ce3af5113, CN=BenDemoRoot-G2
Signature algorithm: SHA256withRSA, 4096-bit key
[trusted certificate]
jar signed.
The signer certificate will expire on 2029-04-23.
The timestamp will expire on 2034-04-23.Verification
CODE
jarsigner -verify -verbose .\HelloWorld-signed.jar
CODE
s 224 Fri Feb 21 20:11:48 UTC 2025 META-INF/MANIFEST.MF
340 Fri Feb 21 20:11:48 UTC 2025 META-INF/3AB5BFB9.SF
5914 Fri Feb 21 20:11:48 UTC 2025 META-INF/3AB5BFB9.RSA
0 Wed Jul 10 12:56:00 UTC 2024 META-INF/
sm 581 Thu Nov 09 11:25:28 UTC 2023 com/example/helloworld/HelloWorld.class
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
- Signed by "CN=Signum-RSA-4096"
Digest algorithm: SHA-256
Signature algorithm: SHA384withRSA, 4096-bit key
Timestamped by "CN=TSACert" on Fri Feb 21 20:11:49 UTC 2025
Timestamp digest algorithm: SHA-256
Timestamp signature algorithm: SHA256withRSA, 2048-bit key
jar verified.
The signer certificate will expire on 2029-04-23.
The timestamp will expire on 2034-04-23.