Sign Java files with Jarsigner using JCE library
Jarsigner is a command-line tool and JCE is a framework within the Java Development Kit (JDK). It is used to digitally sign Java Archive (JAR) files and other related artifacts.
Tip
Signing with JCE is recommended over PKCS11 and KSP library options because it is:
Compatible with any operating system that supports Java (Windows, Linux, macOS, Solaris, and AIX)
Compatible with any Java architecture, including: 64-bit, 32-bit, and ARM processors.
Follow these instructions to sign directly using Jarsigner, JCE and securely reference your private key stored in Software Trust Manager.
Prerequisites
Download JCE library
Install JDK or OpenJDK (compatible with version 8 and higher)
Note
Testing for EdDSA signature generation requires Java version 15 or higher.
Note
Your API key and client authentication certificate password must be provided using one of the following methods:
Session-based environment variables.
Persistent environment variables.
Unsigned jar file
What files can Jarsigner sign using the JCE library?
.jar
.ear
.sar
.war
Jarsigner parameters for JCE
Jarsigner parameters are case-sensitive and must be passed in each request.
Parameter | Value |
---|---|
-keystore | none |
-storepass | changeit |
-storetype | DIGICERT |
-providerclass | com.digicert.jce.Provider |
Jarsigner commands for JCE
The examples shown for the commands below use Java JDK 8, however DigiCert® Software Trust Manager supports JDK version 8 and higher.
Note
The parameters may vary depending on which JDK version is installed.
To list jarsigner parameters, run:
jarsigner
Sign
To sign, run:
Verify signature
To verify if a file is signed, run:
jarsigner -verify "<path to signed jar file>" -certs -verbose
Note
To return more details, include -certs -verbose
as an optional parameters.
Sample command:
jarsigner -verify "C:\Users\Name\Desktop\Signed\example.jar"