> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Jarsigner command examples

> Practical examples of using the jarsigner tool to sign JAR files with keys stored on the HSM.

The Java **jarsigner** tool serves the following purposes:

* Signs Java ARchive (JAR) files.
* Verifies the signatures and integrity of signed JAR files.

The following sections provide examples of each function:

## Sign a Java Archive file

Perform the following steps to ensure that the keys stored on the HSM (that you need for signing) are accessible and sign a JAR file:

<Steps>
  <Step>
    Go to the `$JAVA_HOME/bin` directory:

    ```shell expandable lines wrap title="Shell" theme={null}
    cd $JAVA_HOME/bin
    ```
  </Step>

  <Step>
    Run the following **keytool** command to list all of the keys on the HSM that the configured identity can access:

    ```shell expandable lines wrap title="Shell" theme={null}
    keytool -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -list
    ```

    <Check>
      The response should be similar to the following example:

      ```shell expandable lines wrap title="Shell" theme={null}
      Keystore type: PKCS11
      Keystore provider: Futurex

      Your keystore contains 2 entries

      JarsignerDemo, PrivateKeyEntry, 
      Certificate fingerprint (SHA-256): 1F:1F:44:11:C2:6C:35:93:B8:DF:D9:32:8A:39:2D:96:99:42:DA:DF:39:D5:F3:D0:93:EA:77:91:5A:ED:80:CE

      JarsignerDemoCA, trustedCertEntry, 
      Certificate fingerprint (SHA-256): 9F:B7:23:3C:20:5A:4B:59:C1:25:F9:11:76:21:EA:6E:4A:79:EF:1A:6C:17:45:A6:D8:37:1C:59:E2:6B:C3:02
      ```
    </Check>
  </Step>

  <Step>
    Now that you've confirmed the keys needed for code signing are accessible, run the following command to sign a JAR file by using the HSM-stored keys:

    <Note>
      The last field in thefollowing command, JarsignerDemo, must match the alias you specified in the keytool -importcert command in the previous section.
    </Note>

    ```shell expandable lines wrap title="Shell" theme={null}
    jarsigner -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -signedjar demo_signed.jar example.jar JarsignerDemo
    ```
  </Step>

  <Step>
    When prompted for the passphrase of the KeyStore, enter the password you specified for the **JarsignerDemo** KeyStore in the previous section.

    <Check>
      If the signing succeeds, the response includes a confirmation message that says: jar signed.
    </Check>

    <Note>
      Refer to the Oracle documentation about other flags you can use in the preceding jarsigner command, such as -tsa and -tsacert.
    </Note>
  </Step>
</Steps>

### Verify the signature of a signed JAR file

The **jarsigner** command in the previous section returned a signed JAR file called `demo_signed.jar`. To verify the signature, perform the following task:

<Steps>
  <Step>
    Run the following command to verify the signature of that file:

    ```shell expandable lines wrap title="Shell" theme={null}
    jarsigner -verify demo_signed.jar -verbose -certs
    ```

    <Check>
      If the verification succeeds, the response includes a confirmation message saying jar verified.
    </Check>
  </Step>
</Steps>
