Code signing

Java Jarsigner

4min

This document covers configuring the Futurex KMES Series 3 with Java Jarsigner by using PKCS #11 libraries. For additional questions about your KMES Series 3 device, see the relevant user guide.

About Java Jarsigner

From the Oracle documentation website:

Java jarsigner tool serves two purposes:

  1. To sign Java ARchive (JAR) files.
  2. To verify the signatures and integrity of signed JAR files.

The JAR feature enables you to package class files, images, sounds, and other digital data in a single file for faster and easier distribution. The jar tool enables developers to produce JAR files. Technically, you can consider any zip file a JAR file, although when you create an archive with the jar command or process it with the jarsigner command, JAR files also contain a META-INF/MANIFEST.MF file.

A digital signature is a string of bits that is computed from some data (the data being signed) and the private key of an entity (a person, company, and so on). Similar to a handwritten signature, a digital signature has the following characteristics:

  • Its authenticity can be verified by a computation that uses the public key corresponding to the private key used to generate the signature.
  • It cannot be forged, assuming the private key is kept secret.
  • It is a function of the data signed and thus cannot be claimed to be the signature for other data as well.
  • The signed data cannot be changed. If the data is changed, then the signature cannot be verified as authentic.

To generate an entity's signature for a file, the entity must first have a public/private key pair associated with it and one or more certificates that authenticate its public key. A certificate is a digitally signed statement from one entity that says that the public key of another entity has a particular value.

jarsigner creates signatures by using the following methods:

  • Uses key and certificate information from a keystore to generate digital signatures for JAR files. A keystore is a database of private keys and their associated X.509 certificate chains that authenticate the corresponding public keys. You can use the keytool command to create and administer keystores.
  • Uses an entity's private key to generate a signature. The signed JAR file contains, among other things, a copy of the certificate from the keystore for the public key corresponding to the private key used to sign the file. The jarsigner command can then verify the digital signature of the signed JAR file by using the certificate inside it (in its signature block file).
  • Generates signatures that include a time stamp that enables a system or deployer (including Java Plug-in) to check whether the JAR file was signed while the signing certificate was still valid. In addition, APIs allow applications to obtain the timestamp information.

At this time, jarsigner can only sign zip files or JAR files created by the jar command. JAR files are the same as zip files, except they also have a META-INF/MANIFEST.MF file, created when the jarsigner command signs a zip file.

By default, jarsigner signs a JAR or zip file. Use the -verify option to verify a signed JAR file.

jarsigner also attempts to validate the signer's certificate after signing or verifying. If a validation error or any other problem occurs, the command generates warning messages. If you specify the -strict option, then the command treats severe warnings as errors. See Errors and Warnings.

Integration overview

This guide shows you how to perform the following tasks:

  1. Install Futurex PKCS #11.
  2. Set system environment variables for the Java and Futurex PKCS #11 libraries.
  3. Install the FXJCE files.
  4. Configure the KMES Series 3.
  5. Edit the Futurex PKCS #11 configuration file.
  6. Create Java keystore.
  7. Use the jarsigner command.

The following sections show you how to perform these tasks.