Skip to main content

jarsignerと keytool-PKCS11を設定する

Jarsigner is a command-line tool provided as part of the Java Development Kit (JDK). It is used to digitally sign Java Archive (JAR) files and other related artifacts.

Follow these instructions to sign directly using Jarsigner and securely reference your private key stored in Software Trust Manager. Alternatively, integrate Jarsigner with Signing Manager Controller (SMCTL) for simplified signing.

Prerequisites

What files can Jarsigner sign using the PKCS11 library?

  • .jar

  • .ear

  • .sar

  • .war

jarsignerと keytool の共通パラメータ

パラメータは大文字と小文字を区別し、jarsignerと keytool への各リクエストで渡さなければなりません。

1. jarsignerと keytool の共通パラメータ

パラメータ

-keystore

none

-storepass

none

-storetype

PKCS11

-providerclass

sun.security.pkcs11.sunPKCS11

-providerarg

pkcs11properties.cfg


jarsignerコマンド (PKCS11)

例では Java JDK 1.8 を使用していますが、当社は JDK 1.6-1.11+ をサポートしています。ただし、インストールされている JDKのバージョンにより、パラメータが異なる場合があります。

注記

The parameters may vary depending on which JDK version is installed.

To list jarsigner parameters, run:

jarsigner

Sign

To sign, run:

jarsigner -keystore NONE -storepass NONE -storetype PKCS11 -sigalg SHA256withRSA -providerClass sun.security.pkcs11.SunPKCS11 -providerArg <path to pkcs11properties.cfg> -signedjar <path to signed file output> <unsigned file path> <keypair alias> -tsa http://timestamp.digicert.com

Sample command:

jarsigner -keystore NONE -storepass NONE -storetype PKCS11 -sigalg SHA256withRSA -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11properties2.cfg -signedjar C:\\Users\\Name\\Desktop\\signed\\signedjar.jar C:\\Users\\Name\\Desktop\ToSign\\jartosign.jar key3 -tsa "http://timestamp.digicert.com"

Verify signature

To verify if a file is signed, run:

jarsigner -verify "<path to signed jar file>" -certs -verbose           

注記

To return more details, include -certs -verbose as an optional parameters.

Sample command:

jarsigner -verify "C:\Users\Name\Desktop\Signed\example.jar"