How to sign Java JAR files ?

1. Once the certificate is collected by your browser, export it along with its private key, "include all certificates in the certification path if possible" and "export all extended properties". The exported file will be .PFX or .P12 format. ( Refer the following articles for exporting the PFX/P12 file. )

Export Certificates (Windows)
Exporting Certificates (MAC)

2. Make sure the latest version of JDK is installed. 

3. Retrieve the Alias Name from your .PFX file:

keytool -list -v -storetype pkcs12 -keystore mycertificate.pfx

In the output, you will see the Alias name. ( The Alias name is usually the string up to the first comma before the date ). Copy this Alias name.

4. Sign the JAR
using the following syntax:

jarsigner -storetype pkcs12 -keystore mycertificate.pfx -tsa -digestalg SHA-256 file.jar "aliasname

Note: -digestalg can be whatever digest algorithm you choose, though SHA-1 and SHA-256 are common choices.

5. You can verify the jar has been signed with the following syntax:

jarsigner -verify -verbose -certs YourJarName.jar

Note: Timestamping with Jarsigner requires timestamps that comply with RFC 3161 (Time Stamping Protocol) so use the timestamp URL with Jarsigner.

(2 vote(s))
Not helpful

Comments (0)