Thursday, July 28, 2011
Signing Java JAR Fileshttp://www.coderanch.com/t/407490/java/java/why-jarsigner)
Signing a jar is basically used to verify a trusted source. When you sign a jar with your digital signature (based on your private key), you place a mark into the jar file that could not have been done by anyone but you.
The signature is also a checksum of the Jar file, so if the jar get corrupted or modified in transit, the signature is invalid.
On the other side, your public key is placed into the keystore of the system that trust you. This will be used to verify your signature.
Currently, I believe this is mainly used for applets. Using signed jar files, and setting security properties on client browsers, applets can have access to disk, network, and other stuff that they don't normally have access to.
Step 1 - Create Key
keytool -genkey -keystore <keystorefile> -alias <aliasname>example
C:\folder>keytool -genkey -keystore mykeystore -alias myalias Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: MyName What is the name of your organizational unit? [Unknown]: MyOrg What is the name of your organization? [Unknown]: MyOrg What is the name of your City or Locality? [Unknown]: MyCity What is the name of your State or Province? [Unknown]: MyProvince What is the two-letter country code for this unit? [Unknown]: my Is CN=MyName, OU=MyOrg, O=MyOrg, L=MyCity, ST=MyProvince, C=my correct? [no]: yes Enter key password for <myalias> (RETURN if same as keystore password): Re-enter new password:
Step 2 - Export Cert
keytool -export -keystore <keyStoreFile> -alias <aliasName> > <certFile>example
C:\folder>keytool -export -keystore mykeystore -alias mylias > mycert Enter keystore password: mypassword
Step 3 - Signing JAR
jarsigner -keystore <keyStoreFile> -storepass <password> <jarFile> <aliasName>example
C:\folder>jarsigner -keystore mykeystore -storepass password my.jar myalias Warning: The signer certificate will expire within six months.
Step 4 - Verify
jarsigner -verify -verbose -certs <jarFile>example
C:\folder>jarsigner -verify -verbose -certs my.jar ... sm 236 Sun Feb 06 21:57:00 SGT 2011 images/remove.png X.509, CN=MyName, OU=MyOrg, O=MyOrg, L=MyCity, ST=MyProvince, C=my [certificate will expire on 10/26/11 7:46 PM] ... s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. Warning: This jar contains entries whose signer certificate will expire within six months.