Sign Java files with Jarsigner using JCE library
Jarsigner is a command-line tool and JCE is a framework within the Java Development Kit (JDK). It is used to digitally sign Java Archive (JAR) files and other related artifacts.
Signing with JCE is recommended over PKCS11 and KSP library options because it is:
Compatible with any operating system that supports Java (Windows, Linux, macOS, Solaris, and AIX)
Compatible with any Java architecture, including: 64-bit, 32-bit, and ARM processors.
Follow these instructions to sign directly using Jarsigner, JCE and securely reference your private key stored in DigiCert® KeyLocker.
Download JCE library
Install JDK or OpenJDK (compatible with version 8 and higher)
Testing for EdDSA signature generation requires Java version 15 or higher.
Your API key and client authentication certificate password must be provided using one of the following methods:
Session-based environment variables.
Persistent environment variables.
Unsigned jar file
What files can Jarsigner sign using the JCE library?
Jarsigner parameters for JCE
Jarsigner parameters are case-sensitive and must be passed in each request.
Parameter | Value |
-keystore | none |
-storepass | changeit |
-storetype | DIGICERT |
-providerclass | com.digicert.jce.Provider |
Jarsigner commands for JCE
The examples shown for the commands below use Java JDK 8, however DigiCert® KeyLocker supports JDK version 8 and higher.
The parameters may vary depending on which JDK version is installed.
To list jarsigner parameters, run:
To sign, run:
Verify signature
To verify if a file is signed, run:
jarsigner -verify "<path to signed jar file>" -certs -verbose
To return more details, include -certs -verbose
as an optional parameters.
Sample command:
jarsigner -verify "C:\Users\Name\Desktop\Signed\example.jar"
Understanding error messages
Missing tools.jar in Java 8
If tools.jar
is not added to the classpath in Java 8, then the following error displays:
Error: Could not find or load main class
Missing Bouncy Castle Library
For Java 8, if bcprov-jdk18on-1.77.jar
is not included in the sign command, then the following error displays:
jarsigner error: java.lang.RuntimeException: Bouncycastle library is required in class path with this JAVA version to read PKCS#12 client certificate file.
For Java 9, if bcprov-jdk18on-1.77.jar
is not included in the sign command, then the following error displays:
Provider "com.digicert.jce.Provider" not found
Invalid Credentials
For Java 8, if incorrect credentials are used, then the following error displays:
jarsigner error: java.lang.RuntimeException: Bouncycastle library is required in class path with this JAVA version to read PKCS#12 client certificate file.
For Java 9 and later, if incorrect credentials are used, then the following error displays:
Provider "com.digicert.jce.Provider" not found