Recipe 23.14 Signing Your JAR File


You want to digitally sign your JAR file.


Get or forge a digital certificate, and use the jarsigner program.


A JAR file can be digitally signed to verify the identity of its creator. This is very similar to digital signing of web sites: consumers are trained not to enter sensitive information such as credit card numbers into a web form unless the "padlock" icon shows that it is digitally signed. Signing JAR files uses the Security API in the core Java 2 platform. You can sign JAR files for use with Java applets (see Chapter 18) or JWS (Recipe 23.13). In either case, the jarsigner tool included in the JDK is used.

You can purchase a certificate from one of the commercial signing agencies when you are ready to go live. Meanwhile, for testing, you can " self-sign" a certificate. Here are the steps needed to sign a JAR file with a test certificate:

  1. Create a new key in a new "keystore" as follows:

    keytool -genkey -keystore myKeystore -alias myself 

    The alias myself is arbitrary; its intent is to remind you that it is a self-signed key so you don't put it into production by accident.

  2. The program prompts you in the terminal window for information about the new key. It asks for a password for protecting the keystore. Then it asks for your name, department, organization, city, state, country, and so on. This information goes into the new keystore file on disk.

  3. Create a self-signed test certificate:

    keytool -selfcert -alias myself -keystore myKeystore 

    You enter the keystore password and keytool generates the certificate.

  4. You may want to verify that the steps up to here worked correctly. You can list the contents of the keystore:

    keytool -list -keystore myKeystore 

    The output should look something like the following:

    Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry: myself, Mon Dec 18 11:05:27 EST 2000, keyEntry, Certificate fingerprint (MD5): 56:9E:31:81:42:07:BF:FF:42:01:CB:42:51:42:96:B6

  5. You can now sign the JAR file with your test certificate:

    jarsigner -keystore myKeystore test.jar myself 

The jarsigner tool updates the META-INF directory of your JAR file to contain certificate information and digital signatures for each entry in the archive. This can take a while, depending on the speed of your CPU, the number of entries in the archive, and so on. The end result is a signed JAR file that is acceptable to applet-enabled browsers, Java Web Start, and any other mechanisms that require a signed JAR file.

See Also

For more information on signing and permissions, see Java Security by Scott Oaks (O'Reilly). For more information on the other JDK tools mentioned here, see the documentation that accompanies the JDK you are using.

Java Cookbook
Java Cookbook, Second Edition
ISBN: 0596007019
EAN: 2147483647
Year: 2003
Pages: 409
Authors: Ian F Darwin

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: