Jarsigner command examples

3min

The Java jarsigner tool serves the following purposes:
Signs Java ARchive (JAR) files.
Verifies the signatures and integrity of signed JAR files.
The following sections provide examples of each function:
Sign a Java Archive file
Perform the following steps to ensure that the keys stored on the HSM (that you need for signing) are accessible and sign a Java ARchive (JAR) file:
1
Go to the $JAVA_HOME/bin directory:
Shell
cd $JAVA_HOME/bin
cd $JAVA_HOME/bin
﻿
2
Run the following keytool command to list all of the keys on the HSM that the configured identity can access:
Shell
keytool -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -list
keytool -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -list
﻿
The response should be similar to the following example:
Shell
Keystore type: PKCS11
Keystore provider: Futurex

Your keystore contains 2 entries

JarsignerDemo, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 1F:1F:44:11:C2:6C:35:93:B8:DF:D9:32:8A:39:2D:96:99:42:DA:DF:39:D5:F3:D0:93:EA:77:91:5A:ED:80:CE

JarsignerDemoCA, trustedCertEntry, 
Certificate fingerprint (SHA-256): 9F:B7:23:3C:20:5A:4B:59:C1:25:F9:11:76:21:EA:6E:4A:79:EF:1A:6C:17:45:A6:D8:37:1C:59:E2:6B:C3:02
Keystore type: PKCS11
Keystore provider: Futurex

Your keystore contains 2 entries

JarsignerDemo, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 1F:1F:44:11:C2:6C:35:93:B8:DF:D9:32:8A:39:2D:96:99:42:DA:DF:39:D5:F3:D0:93:EA:77:91:5A:ED:80:CE

JarsignerDemoCA, trustedCertEntry, 
Certificate fingerprint (SHA-256): 9F:B7:23:3C:20:5A:4B:59:C1:25:F9:11:76:21:EA:6E:4A:79:EF:1A:6C:17:45:A6:D8:37:1C:59:E2:6B:C3:02
﻿
3
Now that you've confirmed the keys needed for code signing are accessible, run the following command to sign a JAR file by using the HSM-stored keys:
The last field in thefollowing command, JarsignerDemo, must match the alias you specified in the keytool -importcert command in the previous section.
Shell
jarsigner -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -signedjar demo_signed.jar example.jar JarsignerDemo
jarsigner -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -signedjar demo_signed.jar example.jar JarsignerDemo
﻿
4
When prompted for the passphrase of the KeyStore, enter the password you specified for the JarsignerDemo KeyStore in the previous section.
If the signing succeeded, the response includes a confirmation message that says: jar signed.
Refer to the Oracle documentation about other flags you can use in the preceding jarsigner command, such as -tsa and -tsacert.
Verify the signature of a signed JAR file
The jarsigner command in the previous section returned a signed JAR file called demo_signed.jar. To verify the signature, perform the following task:
1
Run the following command to verify the signature of that file:
Shell
jarsigner -verify demo_signed.jar -verbose -certs
jarsigner -verify demo_signed.jar -verbose -certs
﻿
If the verification succeeded, the response includes a confirmation message saying jar verified.
﻿
﻿

Updated 29 Aug 2024

Did this page help you?

Create Java KeyStore

Microsoft SignTool