Sign Java files with Jarsigner using PKCS11 integration
Jarsigner is a command-line tool provided as part of the Java Development Kit (JDK). It is used to digitally sign Java Archive (JAR) files and other related artifacts.
Follow these instructions to sign directly using Jarsigner and securely reference your private key stored in Software Trust Manager. Alternatively, integrate Jarsigner with Signing Manager Controller (SMCTL) for simplified signing.
Prerequisites
Compatible with Windows, Linux, and macOS
Download and configure Software Trust Manager clients
Install JDK or OpenJDK (compatible with version 8-17)
Keypair alias
Unsigned jar file
What files can Jarsigner sign using the PKCS11 library?
.jar
.ear
.sar
.war
Jarsigner parameters for PKCS11
Jarsigner parameters are case-sensitive and must be passed in each request.
Parameter | Value |
|---|---|
-keystore | none |
-storepass | none |
-storetype | PKCS11 |
-providerclass | sun.security.pkcs11.sunPKCS11 |
-providerarg | Path to pkcs11properties.cfg |
Jarsigner commands for PKCS11
The examples shown for the commands below use Java JDK 8, however DigiCert® Software Trust Manager supports JDK versions 8-17.
Nota
The parameters may vary depending on which JDK version is installed.
To list jarsigner parameters, run:
jarsigner
Sign
To sign, run:
jarsigner -keystore NONE -storepass NONE -storetype PKCS11 -sigalg SHA256withRSA -providerClass sun.security.pkcs11.SunPKCS11 -providerArg <path to pkcs11properties.cfg> -signedjar<path to signed file output><unsigned file path> <keypair alias> -tsa http://timestamp.digicert.com
Sample command:
jarsigner -keystore NONE -storepass NONE -storetype PKCS11 -sigalg SHA256withRSA -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11properties2.cfg -signedjar C:\\Users\\Name\\Desktop\\signed\\signedjar.jar C:\\Users\\Name\\Desktop\ToSign\\jartosign.jar key3 -tsa "http://timestamp.digicert.com"
Verify signature
To verify if a file is signed, run:
jarsigner -verify "<path to signed jar file>" -certs -verbose Nota
To return more details, include -certs -verbose as an optional parameters.
Sample command:
jarsigner -verify "C:\Users\Name\Desktop\Signed\example.jar"