Use the jarsigner command

2min

This section provides examples of how you use the jarsigner command to sign a JAR file and verify the signature of a signed JAR file.
Sign a Java ARchive (JAR) file
Before performing the following steps to sign a Java ARchive (JAR) file (example.jar, in this case), ensure that the keys stored on the  that you need for signing are accessible:
1
Run the following command to go to the $JAVA_HOME/bin directory:
Shell
cd $JAVA_HOME/bin
cd $JAVA_HOME/bin
﻿
2
Run the following keytool command to list all of the keys on the  that the configured identity has access to:
Shell
keytool -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -list
keytool -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -list
﻿
The response should be similar to the following:
Shell
Keystore type: PKCS11
Keystore provider: Futurex

Your keystore contains 2 entries

JarsignerDemo, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 1F:1F:44:11:C2:6C:35:93:B8:DF:D9:32:8A:39:2D:96:99:42:DA:DF:39:D5:F3:D0:93:EA:77:91:5A:ED:80:CE

JarsignerDemoCA, trustedCertEntry, 
Certificate fingerprint (SHA-256): 9F:B7:23:3C:20:5A:4B:59:C1:25:F9:11:76:21:EA:6E:4A:79:EF:1A:6C:17:45:A6:D8:37:1C:59:E2:6B:C3:02
Keystore type: PKCS11
Keystore provider: Futurex

Your keystore contains 2 entries

JarsignerDemo, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 1F:1F:44:11:C2:6C:35:93:B8:DF:D9:32:8A:39:2D:96:99:42:DA:DF:39:D5:F3:D0:93:EA:77:91:5A:ED:80:CE

JarsignerDemoCA, trustedCertEntry, 
Certificate fingerprint (SHA-256): 9F:B7:23:3C:20:5A:4B:59:C1:25:F9:11:76:21:EA:6E:4A:79:EF:1A:6C:17:45:A6:D8:37:1C:59:E2:6B:C3:02
﻿
3
Change directory to the same directory that contains the example.jar file.
4
After you confirm the keys needed for code signing are accessible and change to the directory with the example.jar file, run the following command to sign a JAR file by using the -stored keys:
Shell
jarsigner -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -signedjar demo_signed.jar example.jar JarsignerDemo
jarsigner -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex -signedjar demo_signed.jar example.jar JarsignerDemo
﻿
The last field in the preceding jarsigner command, JarsignerDemo, must match the alias you specified in the keytool -importcert command in the previous section.
Refer to the Oracle documentation about other jarsigner command flags such as -tsa and -tsacert.
If the signing succeeds, the response includes a confirmation message that says: jar signed.
Verify the signature of a signed JAR file
1
The jarsigner command in the previous section returned a signed JAR file, demo_ signed.jar. Now, run the following command to verify the signature of that file:
Shell
jarsigner -verify demo_signed.jar -verbose -certs
jarsigner -verify demo_signed.jar -verbose -certs
﻿
If the verification succeeds, the response includes a confirmation message: jar verified.
﻿

Updated 29 Aug 2024

Did this page help you?

Create Java keystore

Jenkins Code Signing