Jarsigner command examples

The Java jarsigner tool serves the following purposes:

Signs Java ARchive (JAR) files.
Verifies the signatures and integrity of signed JAR files.

The following sections provide examples of each function:

Sign a Java Archive file

Perform the following steps to ensure that the keys stored on the HSM (that you need for signing) are accessible and sign a JAR file:

Go to the $JAVA_HOME/bin directory:

Shell

cd $JAVA_HOME/bin

Run the following keytool command to list all of the keys on the HSM that the configured identity can access:

Shell

keytool -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -list

The response should be similar to the following example:

Shell

Keystore type: PKCS11
Keystore provider: Futurex

Your keystore contains 2 entries

JarsignerDemo, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 1F:1F:44:11:C2:6C:35:93:B8:DF:D9:32:8A:39:2D:96:99:42:DA:DF:39:D5:F3:D0:93:EA:77:91:5A:ED:80:CE

JarsignerDemoCA, trustedCertEntry, 
Certificate fingerprint (SHA-256): 9F:B7:23:3C:20:5A:4B:59:C1:25:F9:11:76:21:EA:6E:4A:79:EF:1A:6C:17:45:A6:D8:37:1C:59:E2:6B:C3:02

Now that you’ve confirmed the keys needed for code signing are accessible, run the following command to sign a JAR file by using the HSM-stored keys:

The last field in thefollowing command, JarsignerDemo, must match the alias you specified in the keytool -importcert command in the previous section.

Shell

jarsigner -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -signedjar demo_signed.jar example.jar JarsignerDemo

When prompted for the passphrase of the KeyStore, enter the password you specified for the JarsignerDemo KeyStore in the previous section.

If the signing succeeds, the response includes a confirmation message that says: jar signed.

Refer to the Oracle documentation about other flags you can use in the preceding jarsigner command, such as -tsa and -tsacert.

Verify the signature of a signed JAR file

The jarsigner command in the previous section returned a signed JAR file called demo_signed.jar. To verify the signature, perform the following task:

Run the following command to verify the signature of that file:

Shell

jarsigner -verify demo_signed.jar -verbose -certs

If the verification succeeds, the response includes a confirmation message saying jar verified.

Create Java KeyStore

Microsoft SignTool

⌘I

Certificate Authority

Certificate management

Certificate validation

Code signing

Credential management

Data protection

Database

Digital signing

DNS

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

TLS offloading

VPN

Sign a Java Archive file

Verify the signature of a signed JAR file

Certificate Authority

Certificate management

Certificate validation

Code signing

Credential management

Data protection

Database

Digital signing

DNS

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

TLS offloading

VPN

Documentation Index

​Sign a Java Archive file

​Verify the signature of a signed JAR file

Sign a Java Archive file

Verify the signature of a signed JAR file