Jarsigner command examples

The Java jarsigner tool serves the following purposes:

Signs Java ARchive (JAR) files.
Verifies the signatures and integrity of signed JAR files.

The following sections provide examples of both purposes.

Sign a JAR file

Before signing a JAR file, ensure that the keys stored on the CryptoHub needed for signing are accessible.

First, go to the $JAVA_HOME/bin directory:

Shell

cd $JAVA_HOME/bin

Then, run the following keytool command to list all of the keys on the CryptoHub that the configured identity has access to:

Shell

keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -list

When prompted for the KeyStore password in this command and the following commands, enter the CryptoHub identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.

The response should be similar to the following:

Shell

Keystore type: PKCS11
Keystore provider: SunPKCS11-Futurex

Your keystore contains 1 entry

Java Jarsigner:Code Signer:C, PrivateKeyEntry,
Certificate fingerprint (SHA-256): CE:D2:32:22:3F:44:C2:CF:03:26:77:A7:9C:91:49:87:E1:F4:7E:3A:A8:56:A8:92:7A:C6:2D:21:1F:80:4D:9B

Now that you know the keys needed for code signing are accessible, run the following command to sign a JAR file using the CryptoHub-stored keys:

You must run the command from the same directory where you stored the example.jar file.

Shell

jarsigner -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -signedjar demo_signed.jar example.jar "Java Jarsigner:Code Signer:C"

You must copy and paste the value specified in the last field of the preceding jarsigner command, Java Jarsigner:Code Signer:C, from the output you see in the list command in step 2.

If the signing succeeds, the response includes a confirmation message that says, jar signed.

Refer to the Oracle documentation to learn about flags that you can use in the preceding jarsigner command, such as -tsa and -tsacert.

Verify the signature

Run the following command to verify the signature of the signed JAR file output from the previous jarsigner command, demo_signed.jar:

Shell

jarsigner -verify demo_signed.jar -verbose -certs

If the verification succeeds, the response includes a confirmation message that says, jar verified.

Assign the key pair to a certificate and apply an issuance policy

Jenkins Code Signing

⌘I

Service guides

Certificate Authority

Certificate management

Certificate validation

Cloud key management

Code signing

Credential management

Data protection

Data storage

Database

Digital signing

DNS

Endpoint management

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

SSH

TLS offloading

Virtualization

VPN

Sign a JAR file

Verify the signature

Service guides

Certificate Authority

Certificate management

Certificate validation

Cloud key management

Code signing

Credential management

Data protection

Data storage

Database

Digital signing

DNS

Endpoint management

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

SSH

TLS offloading

Virtualization

VPN

Documentation Index

​Sign a JAR file

​Verify the signature

Sign a JAR file

Verify the signature