Jarsigner command examples

3min
The Java jarsigner tool serves the following purposes:
Signs Java ARchive (JAR) files.
Verifies the signatures and integrity of signed JAR files.
The following sections provide examples of both purposes.
Sign a Java ARchive (JAR) file
Before signing a Java ARchive (JAR) file, ensure that the keys stored on the  needed for signing are accessible.
1
First, navigate to the $JAVA_HOME/bin directory:
Shell
cd $JAVA_HOME/bin
cd $JAVA_HOME/bin
﻿
2
Then, run the following keytool command to list all of the keys on the  that the configured identity has access to:
Shell
keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -list
keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -list
﻿
When prompted for the KeyStore password in this command, and the commands that follow, enter the  identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file.
The response should be similar to the following:
Shell
Keystore type: PKCS11
Keystore provider: SunPKCS11-Futurex

Your keystore contains 1 entry

Java Jarsigner:Code Signer:C, PrivateKeyEntry,
Certificate fingerprint (SHA-256): CE:D2:32:22:3F:44:C2:CF:03:26:77:A7:9C:91:49:87:E1:F4:7E:3A:A8:56:A8:92:7A:C6:2D:21:1F:80:4D:9B
Keystore type: PKCS11
Keystore provider: SunPKCS11-Futurex

Your keystore contains 1 entry

Java Jarsigner:Code Signer:C, PrivateKeyEntry,
Certificate fingerprint (SHA-256): CE:D2:32:22:3F:44:C2:CF:03:26:77:A7:9C:91:49:87:E1:F4:7E:3A:A8:56:A8:92:7A:C6:2D:21:1F:80:4D:9B
﻿
3
Now that you know the keys needed for code signing are accessible, run the following command to sign a JAR file using the -stored keys:
You must run the command from the same directory where the example.jar file is stored.
Shell
jarsigner -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -signedjar demo_signed.jar example.jar "Java Jarsigner:Code Signer:C"
jarsigner -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -signedjar demo_signed.jar example.jar "Java Jarsigner:Code Signer:C"
﻿
You must copy and paste the value specified in the last field of the preceding jarsigner command, Java Jarsigner:Code Signer:C, from the output you see in the list command in step 2.
If the signing succeeds, the response includes a confirmation message that says, jar signed.
Refer to the Oracle documentation to learn about other flags that you can use in the preceding jarsigner command, such as -tsa and -tsacert.
Verify the signature of a signed JAR file
Run the following command to verify the signature of the signed JAR file output from the previous jarsigner command, demo_signed.jar:
Shell
jarsigner -verify demo_signed.jar -verbose -certs
jarsigner -verify demo_signed.jar -verbose -certs
﻿
If the verification succeeds, the response includes a confirmation message that says, jar verified.
﻿
Assign the key pair to a certificate and apply an issuance policy
Jenkins Code Signing