Code signing
Java Jarsigner
3 min
this document provides information about configuring {{futurex}} hsms with java jarsigner by using pkcs #11 libraries for additional questions related to your hsm, see the relevant administrator guide application description from the oracle documentation website the java jarsigner tool serves the following purposes to sign java archive (jar) files to verify the signatures and integrity of the signed jar files the jar feature enables the packaging of class files, images, sounds, and other digital data in a single file for faster and easier distribution a tool named jar enables developers to produce jar files (technically, any zip file can also be considered a jar file, although when created by the jar command or processed by the jarsigner command, jar files also contain a meta inf/manifest mf file ) a digital signature is a string of bits that is computed from some data (the data being signed) and the private key of an entity (a person, company, and so on) similar to a handwritten signature, a digital signature has many useful characteristics its authenticity can be verified by a computation that uses the public key corresponding to the private key used to generate the signature it cannot be forged, assuming the private key is kept secret it is a function of the date assigned and thus cannot be claimed to be the signature for other data as well the signed data cannot be changed if the data is changed, then the signature cannot be verified as authentic to generate an entity's signature for a file, the entity must first have a public/private key pair associated with it and one or more certificates that authenticate its public key a certificate is a digitally signed statement from one entity that says that the public key of another entity has a particular value the jarsigner command uses key and certificate information from a keystore to generate digital signatures for jar files a keystore is a database of private keys and their associated x 509 certificate chains that authenticate the corresponding public keys the keytool command is used to create and administer keystores the jarsigner command uses an entity's private key to generate a signature the signed jar file contains, among other things, a copy of the certificate from the keystore for the public key corresponding to the private key used to sign the file the jarsigner command can verify the digital signature of the signed jar file using the certificate inside it (in its signature block file) the jarsigner command can generate signatures that include a time stamp that lets a system or deployer (including java plug in) check whether the jar file was signed while the signing certificate was still valid in addition, apis allow applications to obtain the timestamp information at this time, the jarsigner command can only sign jar files created by the jar command or zip files jar files are the same as zip files, except they also have a meta inf/manifest mf file a meta inf/manifest mf file is created when the jarsigner command signs a zip file a default jarsigner command behavior is to sign a jar or zip file use the verify option to verify a signed jar file the jarsigner command also attempts to validate the signer's certificate after signing or verifying if there is a validation error or any other problem, the command generates warning messages if you specify the strict option, then the command treats severe warnings as errors see errors and warnings guardian integration the {{guard}} introduces mission critical viability to core cryptographic infrastructure, including centralization of device management elimination of points of failure distribution of transaction loads group specific function blocking user defined grouping systems see the applicable guide in the {{futurex}} portal for configuring hsms with the {{guard}} , including pkcs #11 and cng configuration