Thursday, July 28, 2011

Signing Java JAR Files

From coderanch (http://www.coderanch.com/t/407490/java/java/why-jarsigner)

Signing a jar is basically used to verify a trusted source. When you sign a jar with your digital signature (based on your private key), you place a mark into the jar file that could not have been done by anyone but you.

The signature is also a checksum of the Jar file, so if the jar get corrupted or modified in transit, the signature is invalid.

On the other side, your public key is placed into the keystore of the system that trust you. This will be used to verify your signature.

Currently, I believe this is mainly used for applets. Using signed jar files, and setting security properties on client browsers, applets can have access to disk, network, and other stuff that they don't normally have access to.


Step 1 - Create Key
keytool -genkey -keystore <keystorefile> -alias <aliasname>
example
C:\folder>keytool -genkey -keystore mykeystore -alias myalias
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  MyName
What is the name of your organizational unit?
  [Unknown]:  MyOrg
What is the name of your organization?
  [Unknown]:  MyOrg
What is the name of your City or Locality?
  [Unknown]:  MyCity
What is the name of your State or Province?
  [Unknown]:  MyProvince
What is the two-letter country code for this unit?
  [Unknown]:  my
Is CN=MyName, OU=MyOrg, O=MyOrg, L=MyCity, ST=MyProvince, C=my correct?
  [no]:  yes

Enter key password for <myalias>
        (RETURN if same as keystore password):
Re-enter new password:

Step 2 - Export Cert
keytool -export -keystore <keyStoreFile> -alias <aliasName> > <certFile>
example
C:\folder>keytool -export -keystore mykeystore -alias mylias > mycert
Enter keystore password:  mypassword

Step 3 - Signing JAR
jarsigner -keystore <keyStoreFile> -storepass <password> <jarFile> <aliasName>
example
C:\folder>jarsigner -keystore mykeystore -storepass password my.jar myalias

Warning:
The signer certificate will expire within six months.

Step 4 - Verify
jarsigner -verify -verbose -certs <jarFile>
example
C:\folder>jarsigner -verify -verbose -certs my.jar
...
sm       236 Sun Feb 06 21:57:00 SGT 2011 images/remove.png

      X.509, CN=MyName, OU=MyOrg, O=MyOrg, L=MyCity, ST=MyProvince, C=my
      [certificate will expire on 10/26/11 7:46 PM]
...
  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Warning:
This jar contains entries whose signer certificate will expire within six months.

No comments:

Post a Comment