> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Jarsigner command examples

> Practical examples of using jarsigner to sign and verify JAR files.

The Java **jarsigner** tool serves the following purposes:

* Signs **Java ARchive (JAR)** files.
* Verifies the signatures and integrity of signed JAR files.

The following sections provide examples of both purposes.

## Sign a JAR file

Before signing a JAR file, ensure that the keys stored on the CryptoHub needed for signing are accessible.

<Steps>
  <Step>
    First, go to the `$JAVA_HOME/bin` directory:

    ```shell expandable lines wrap title="Shell" theme={null}
    cd $JAVA_HOME/bin
    ```
  </Step>

  <Step>
    Then, run the following **keytool** command to list all of the keys on the CryptoHub that the configured identity has access to:

    ```shell expandable lines wrap title="Shell" theme={null}
    keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -list
    ```

    <Note>
      When prompted for the KeyStore password in this command and the following commands, enter the CryptoHub identity password configured inside the `<CRYPTO-OPR-PASS>` tag in the `fxpkcs11.cfg` file.
    </Note>

    <Check>
      The response should be similar to the following:

      ```shell expandable lines wrap title="Shell" theme={null}
      Keystore type: PKCS11
      Keystore provider: SunPKCS11-Futurex

      Your keystore contains 1 entry

      Java Jarsigner:Code Signer:C, PrivateKeyEntry,
      Certificate fingerprint (SHA-256): CE:D2:32:22:3F:44:C2:CF:03:26:77:A7:9C:91:49:87:E1:F4:7E:3A:A8:56:A8:92:7A:C6:2D:21:1F:80:4D:9B
      ```
    </Check>
  </Step>

  <Step>
    Now that you know the keys needed for code signing are accessible, run the following command to sign a JAR file using the CryptoHub-stored keys:

    <Note>
      You must run the command from the same directory where you stored the `example.jar` file.
    </Note>

    ```shell expandable lines wrap title="Shell" theme={null}
    jarsigner -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -signedjar demo_signed.jar example.jar "Java Jarsigner:Code Signer:C"
    ```

    <Note>
      You must copy and paste the value specified in the last field of the preceding jarsigner command, Java Jarsigner:Code Signer:C, from the output you see in the list command in step 2.
    </Note>

    <Check>
      If the signing succeeds, the response includes a confirmation message that says, jar signed.
    </Check>

    Refer to the Oracle documentation to learn about flags that you can use in the preceding jarsigner command, such as **-tsa** and **-tsacert**.
  </Step>
</Steps>

## Verify the signature

Run the following command to verify the signature of the signed JAR file output from the previous **jarsigner** command, `demo_signed.jar`:

```shell expandable lines wrap title="Shell" theme={null}
jarsigner -verify demo_signed.jar -verbose -certs
```

<Check>
  If the verification succeeds, the response includes a confirmation message that says, jar verified.
</Check>
