Skip to main content
Skip table of contents

Sign JAR Files with Jarsigner

Jarsigner is a tool that allows you to sign and verify .jar files. Integrate Jarsigner with Signum with the following options:

Prerequisites

Linux using PKCS#11

Create Configuration File

Create a configuration file keyfactorpkcs11.cfg with the following properties:

CODE 
name = KeyfactorPKCS11
library = /usr/lib/libkeyfactorpkcs11.so
description = Keyfactor PKCS#11 interface for SmartCard

List Key Objects

Use the keytool command to list the keys from the Keyfactor Signum PKCS11 provider:

CODE 
keytool -list -storetype PKCS11 -storepass NONE -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/keyfactor/keyfactorpkcs11.cfg
CODE 
Keystore type: PKCS11
Keystore provider: SunPKCS11-KeyfactorPKCS11

Your keystore contains 4 entries

170570A1D56FBB5A4CC780B69ACAEF94010D5DAA - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 1C:3B:0B:5E:B7:7F:29:29:87:4E:7D:BC:77:11:D9:7F:FF:06:0B:C3:F2:F9:DE:02:8E:72:C6:87:4E:CE:B2:94
3AB5BFB91DFBB46CF765D5BEE51429618C4857DD - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 97:58:8B:1B:C4:D5:19:3C:C6:5F:3F:4A:73:11:53:17:98:D4:A7:E9:FD:A3:3D:88:B0:9F:09:EB:77:D9:23:F0
DE0BB605AC697DF1A99A3C675BC03DF0B83F49D0 - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 88:A0:C7:2B:6B:F6:3B:61:4C:4D:49:AB:CD:2F:C7:6A:B2:4F:50:63:27:B1:74:15:87:34:72:54:69:54:F1:A4
F78AE7871FEF1D0CF3EFFB58E9CC85F261438D2B - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): B4:D6:B2:C1:B9:A0:4A:55:D4:7B:37:AD:C2:3F:D3:7A:B0:77:60:B5:B3:30:87:11:8A:F4:26:2F:D4:2F:B7:89

Sign

Use the following command with the certificate information from your keystore to sign the .jar file:

CODE 
jarsigner -verbose -certs -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /home/user/keyfactorpkcs11.cfg -storepass NONE -tsa REPLACE-WITH-TSA-URL -signedjar HelloWorld-signed.jar HelloWorld-unsigned.jar "3AB5BFB91DFBB46CF765D5BEE51429618C4857DD - Certificate"
CODE 
requesting a signature timestamp
TSA location: TSA-URL
 updating: META-INF/MANIFEST.MF
   adding: META-INF/3AB5BFB9.SF
   adding: META-INF/3AB5BFB9.RSA
  signing: com/example/helloworld/HelloWorld.class

>>> Signer
    X.509, CN=Signum-RSA-4096
    Signature algorithm: SHA256withRSA, 4096-bit key
    [certificate is valid from 4/24/24, 2:29 AM to 4/23/29, 2:29 AM]
>>> TSA
    X.509, CN=TSACert
    Signature algorithm: SHA256withRSA, 2048-bit key
    [certificate is valid from 4/25/24, 6:52 PM to 4/23/34, 6:52 PM]
    X.509, O=ejbca, OU=0975a4d7-e1d5-4c66-a9bb-908ce3af5113, CN=BenDemoRoot-G2
    Signature algorithm: SHA256withRSA, 4096-bit key
    [trusted certificate]

jar signed.

The signer certificate will expire on 2029-04-23.
The timestamp will expire on 2034-04-23.

Verify

Use the following command to verify the signature:

CODE 
jarsigner -verify -verbose HelloWorld.jar

s        183 Thu Oct 19 18:39:18 UTC 2023 META-INF/MANIFEST.MF
         336 Thu Oct 19 18:39:20 UTC 2023 META-INF/EB568664.SF
        4324 Thu Oct 19 18:39:20 UTC 2023 META-INF/EB568664.RSA
           0 Thu Oct 19 12:47:52 UTC 2023 META-INF/
           0 Thu Oct 19 12:47:52 UTC 2023 com/
           0 Thu Oct 19 12:47:52 UTC 2023 com/example/
           0 Thu Oct 19 12:47:52 UTC 2023 com/example/helloworld/
sm       581 Thu Oct 19 12:47:52 UTC 2023 com/example/helloworld/HelloWorld.class

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

- Signed by "CN=Demo"
    Digest algorithm: SHA-256
    Signature algorithm: SHA384withRSA, 4096-bit key
  Timestamped by "CN=SignServer-TSA" on Thu Oct 19 18:39:20 UTC 2023
    Timestamp digest algorithm: SHA-256
    Timestamp signature algorithm: SHA256withRSA, 2048-bit key

jar verified.

The signer certificate will expire on 2027-10-04.
The timestamp will expire on 2031-04-26.

Windows Key Store Provider (KSP)

Make sure the Windows Agent has been installed and a user is logged in with a policy granting access to a signing certificate.

If including the -certchain property from jarsigner, ensure that the certificates are in the correct order with leaf certificates first followed by intermediate and then root.

Sign

Use the following command to sign the .jar file:

CODE 
jarsigner -verbose -certs -storetype Windows-MY -tsa REPLACE-WITH-TSA-URL -signedjar .\HelloWorld-signed.jar .\HelloWorld-unsigned.jar "Signum-RSA-4096"

If using the agent in Server mode or targeting the LocalMachine certificate store, change the storetype to Windows-MY-LOCALMACHINE. The Signum-RSA-4096 value is the Windows-friendly name of the certificate in Signum. The name can be changed by editing the Certificate Alias in the Signum Administration Console. See Certificate Operations.

The command returns:

CODE 
requesting a signature timestamp
TSA location: TSA-URL
 updating: META-INF/MANIFEST.MF
   adding: META-INF/SIGNUM-R.SF
   adding: META-INF/SIGNUM-R.RSA
   adding: com/
   adding: com/example/
   adding: com/example/helloworld/
  signing: com/example/helloworld/HelloWorld.class

>>> Signer
    X.509, CN=Signum-RSA-4096
    Signature algorithm: SHA256withRSA, 4096-bit key
    [certificate is valid from 4/24/24, 2:29 AM to 4/23/29, 2:29 AM]
    X.509, O=benejbca, OU=0975a4d7-e1d5-4c66-a9bb-908ce3af5113, CN=DemoRoot-G2
    Signature algorithm: SHA256withRSA, 4096-bit key
    [trusted certificate]
>>> TSA
    X.509, CN=BenTSACert
    Signature algorithm: SHA256withRSA, 2048-bit key
    [certificate is valid from 4/25/24, 6:52 PM to 4/23/34, 6:52 PM]
    X.509, O=benejbca, OU=0975a4d7-e1d5-4c66-a9bb-908ce3af5113, CN=DemoRoot-G2
    Signature algorithm: SHA256withRSA, 4096-bit key
    [trusted certificate]

jar signed.

The signer certificate will expire on 2029-04-23.
The timestamp will expire on 2034-04-23.

Verify

Use the following command to verify the signature:

CODE 
jarsigner -verify -verbose .\HelloWorld-signed.jar
CODE 

s        183 Thu Jun 27 20:44:30 UTC 2024 META-INF/MANIFEST.MF
         340 Thu Jun 27 20:44:30 UTC 2024 META-INF/SIGNUM-R.SF
        7365 Thu Jun 27 20:44:30 UTC 2024 META-INF/SIGNUM-R.RSA
           0 Thu Oct 19 12:47:52 UTC 2023 META-INF/
           0 Thu Oct 19 12:47:52 UTC 2023 com/
           0 Thu Oct 19 12:47:52 UTC 2023 com/example/
           0 Thu Oct 19 12:47:52 UTC 2023 com/example/helloworld/
sm       581 Thu Oct 19 12:47:52 UTC 2023 com/example/helloworld/HelloWorld.class

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

- Signed by "CN=Signum-RSA-4096"
    Digest algorithm: SHA-256
    Signature algorithm: SHA384withRSA, 4096-bit key
  Timestamped by "CN=SignServer-TSA" on Thu Jun 27 20:44:31 UTC 2024
    Timestamp digest algorithm: SHA-256
    Timestamp signature algorithm: SHA256withRSA, 2048-bit key

jar verified.

The signer certificate will expire on 2029-04-23.
The timestamp will expire on 2034-04-23.

Windows using PKCS#11

An alternative to using Microsofts Cryptographic APIs is to instead use the Signum PKCS11 provider in Windows which functions in a similar fashion to Linux.

Create Configuration File

Create a configuration file keyfactorpkcs11.cfg with the follwoing properties:

CODE 
name = KeyfactorPKCS11
library = C:\Windows\System32\KeyfactorPkcs11.dll
description = Keyfactor PKCS#11 interface for SmartCard

List Key Objects

Use the Java keytool to list the keys from the Keyfactor Signum PKCS11 provider. Make sure to include the path to your configuration file if the file is in a different directory.

CODE 
keytool -list -storetype PKCS11 -storepass NONE -providerClass sun.security.pkcs11.SunPKCS11 -providerArg keyfactorpkcs11.cfg

The command returns the key objects that are accessible to the logged-in user:

CODE 
Keystore type: PKCS11
Keystore provider: SunPKCS11-KeyfactorPKCS11

Your keystore contains 4 entries

170570A1D56FBB5A4CC780B69ACAEF94010D5DAA - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 1C:3B:0B:5E:B7:7F:29:29:87:4E:7D:BC:77:11:D9:7F:FF:06:0B:C3:F2:F9:DE:02:8E:72:C6:87:4E:CE:B2:94
3AB5BFB91DFBB46CF765D5BEE51429618C4857DD - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 97:58:8B:1B:C4:D5:19:3C:C6:5F:3F:4A:73:11:53:17:98:D4:A7:E9:FD:A3:3D:88:B0:9F:09:EB:77:D9:23:F0
DE0BB605AC697DF1A99A3C675BC03DF0B83F49D0 - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 88:A0:C7:2B:6B:F6:3B:61:4C:4D:49:AB:CD:2F:C7:6A:B2:4F:50:63:27:B1:74:15:87:34:72:54:69:54:F1:A4
F78AE7871FEF1D0CF3EFFB58E9CC85F261438D2B - Certificate, PrivateKeyEntry,
Certificate fingerprint (SHA-256): B4:D6:B2:C1:B9:A0:4A:55:D4:7B:37:AD:C2:3F:D3:7A:B0:77:60:B5:B3:30:87:11:8A:F4:26:2F:D4:2F:B7:89

Sign

Use the following command with the certificate information from the keystore to sign the .jar file:

CODE 
jarsigner -verbose -certs -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg keyfactorpkcs11.cfg -storepass NONE -tsa REPLACE-WITH-TSA-URL -signedjar HelloWorld-signed.jar HelloWorld.jar "3AB5BFB91DFBB46CF765D5BEE51429618C4857DD - Certificate"
CODE 
requesting a signature timestamp
TSA location: TSA-URL
 updating: META-INF/MANIFEST.MF
   adding: META-INF/3AB5BFB9.SF
   adding: META-INF/3AB5BFB9.RSA
  signing: com/example/helloworld/HelloWorld.class

>>> Signer
    X.509, CN=Signum-RSA-4096
    Signature algorithm: SHA256withRSA, 4096-bit key
    [certificate is valid from 4/24/24, 2:29 AM to 4/23/29, 2:29 AM]
>>> TSA
    X.509, CN=TSACert
    Signature algorithm: SHA256withRSA, 2048-bit key
    [certificate is valid from 4/25/24, 6:52 PM to 4/23/34, 6:52 PM]
    X.509, O=ejbca, OU=0975a4d7-e1d5-4c66-a9bb-908ce3af5113, CN=BenDemoRoot-G2
    Signature algorithm: SHA256withRSA, 4096-bit key
    [trusted certificate]

jar signed.

The signer certificate will expire on 2029-04-23.
The timestamp will expire on 2034-04-23.

Verify

Use the following command to verify the signature:

CODE 
jarsigner -verify -verbose .\HelloWorld-signed.jar
CODE 
s        224 Fri Feb 21 20:11:48 UTC 2025 META-INF/MANIFEST.MF
         340 Fri Feb 21 20:11:48 UTC 2025 META-INF/3AB5BFB9.SF
        5914 Fri Feb 21 20:11:48 UTC 2025 META-INF/3AB5BFB9.RSA
           0 Wed Jul 10 12:56:00 UTC 2024 META-INF/
sm       581 Thu Nov 09 11:25:28 UTC 2023 com/example/helloworld/HelloWorld.class

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

- Signed by "CN=Signum-RSA-4096"
    Digest algorithm: SHA-256
    Signature algorithm: SHA384withRSA, 4096-bit key
  Timestamped by "CN=TSACert" on Fri Feb 21 20:11:49 UTC 2025
    Timestamp digest algorithm: SHA-256
    Timestamp signature algorithm: SHA256withRSA, 2048-bit key

jar verified.

The signer certificate will expire on 2029-04-23.
The timestamp will expire on 2034-04-23.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close