Jarsigner command examples
As mentioned in the Document Information section at the beginning of the guide, Java's jarsigner tool is used for two purposes:
- To sign Java ARchive (JAR) files.
- To verify the signatures and integrity of signed JAR files.
Examples of both are provided in the subsections that follow.
Before attempting to sign a Java ARchive (JAR) file, it is a good practice to ensure that the keys stored on the HSM needed for signing are accessible.
First, navigate to the $JAVA_HOME/bin directory:
Then, run the following keytool command to list all of the keys on the HSM that the configured identity has access to:
The response should be similar to the following:
Now that we've confirmed the keys needed for code signing are accessible, run the following command to sign a JAR file using the HSM-stored keys
Now that we've confirmed the keys needed for code signing are accessible, run the following command to sign a JAR file using the HSM-stored keys
The last field in the jarsigner command above, "JarsignerDemo", needs to match the alias that was specified in the keytool -importcert command in the previous section.
The command will prompt for the passphrase of the keystore. Type in the password that was specified for the "JarsignerDemo" keystore in the previous section.
If the signing is successful, the response will include a confirmation message that says, "jar signed.".
Please refer to Oracle's documentation regarding other flags that can be used in the jarsigner command above, such as -tsa and -tsacert.
The signed JAR file that was output from the jarsigner command in the previous subsection was called demo_signed.jar.
Now, run the following command to verify the signature of that file:
If the verification is successful, the response will include a confirmation message that says, "jar verified.".