jarsignerと keytool-PKCS11を設定する

Jarsigner is a command-line tool and JCE is a framework within the Java Development Kit (JDK). It is used to digitally sign Java Archive (JAR) files and other related artifacts.

ヒント

Signing with JCE is recommended over PKCS11 and KSP library options because it is:

Compatible with any operating system that supports Java (Windows, Linux, macOS, Solaris, and AIX)
Compatible with any Java architecture, including: 64-bit, 32-bit, and ARM processors.

Follow these instructions to sign directly using Jarsigner, JCE and securely reference your private key stored in Software Trust Manager.

Prerequisites

Download JCE library
Install JDK or OpenJDK (compatible with version 8 and higher)
注記
Testing for EdDSA signature generation requires Java version 15 or higher.
Configure your credentials
注記
Your API key and client authentication certificate password must be provided using one of the following methods:
- Session-based environment variables.
- Persistent environment variables.
Keypair alias
Unsigned jar file

What files can Jarsigner sign using the JCE library?

.jar
.ear
.sar
.war

jarsignerと keytool の共通パラメータ

パラメータは大文字と小文字を区別し、jarsignerと keytool への各リクエストで渡さなければなりません。

表 1. jarsignerと keytool の共通パラメータ

パラメータ	値
-keystore	none
-storepass	none
-storetype	PKCS11
-providerclass	com.digicert.jce.Provider

jarsignerコマンド (PKCS11)

例では Java JDK 1.8 を使用していますが、当社は JDK 1.6-1.11+ をサポートしています。ただし、インストールされている JDKのバージョンにより、パラメータが異なる場合があります。

注記

The parameters may vary depending on which JDK version is installed.

To list jarsigner parameters, run:

jarsigner

Sign

To sign, run:

例 1. Windows

Command:

jarsigner -J-Djava.class.path=<file_path>\digicert-jce-1.0.jar;<file_path>\bcprov-jdk18on-1.77.jar -keystore NONE -storetype DIGICERT -storepass changeit -providerClass com.digicert.jce.Provider -signedjar <signed_jar_file> -sigalg <signature_algorithm> -tsa http://timestamp.digicert.com <unsigned_jar_file> <keypair alias>

Command sample:

jarsigner -J-Djava.class.path=C:\Users\test\digicert-jce-1.0.jar;C:\Users\test\bcprov-jdk18on-1.77.jar -keystore NONE -storetype DIGICERT -storepass changeit -providerClass com.digicert.jce.Provider -signedjar C:\Users\test\signed.jar -sigalg SHA256withRSA -tsa http://timestamp.digicert.com C:\Users\test\unsigned.jar keypair2

例 2. Linux

Command:

jarsigner -J-Djava.class.path=<file_path>/digicert-jce-1.0.jar:<file_path>/bcprov-jdk18on-1.77.jar -keystore NONE -storetype DIGICERT -storepass changeit -providerClass com.digicert.jce.Provider -signedjar <signed_jar_file> -sigalg <signature_algorithm> -tsa http://timestamp.digicert.com <unsigned_jar_file> <keypair alias>

Command sample:

jarsigner -J-Djava.class.path=/home/test/digicert-jce-1.0.jar:/home/test/bcprov-jdk18on-1.77.jar -keystore NONE -storetype DIGICERT -storepass changeit -providerClass com.digicert.jce.Provider -signedjar /home/test/signed.jar -sigalg SHA256withRSA -tsa http://timestamp.digicert.com /home/test/unsigned.jar keypair2

例 3. macOS

Command:

jarsigner -J-Djava.class.path=<file_path>/digicert-jce-1.0.jar:<file_path>/bcprov-jdk18on-1.77.jar -keystore NONE -storetype DIGICERT -storepass changeit -providerClass com.digicert.jce.Provider -signedjar <signed_jar_file> -sigalg <signature_algorithm> -tsa http://timestamp.digicert.com <unsigned_jar_file> <keypair alias>

Command sample:

jarsigner -J-Djava.class.path=/home/test/digicert-jce-1.0.jar:/home/test/bcprov-jdk18on-1.77.jar -keystore NONE -storetype DIGICERT -storepass changeit -providerClass com.digicert.jce.Provider -signedjar /home/test/signed.jar -sigalg SHA256withRSA -tsa http://timestamp.digicert.com /home/test/unsigned.jar keypair2

Verify signature

To verify if a file is signed, run:

jarsigner -verify "<path to signed jar file>" -certs -verbose

注記

To return more details, include -certs -verbose as an optional parameters.

Sample command:

jarsigner -verify "C:\Users\Name\Desktop\Signed\example.jar"

このセクションの内容:

jarsignerと keytool-PKCS11を設定する

ヒント

Prerequisites

注記

注記

What files can Jarsigner sign using the JCE library?

jarsignerと keytool の共通パラメータ

jarsignerコマンド (PKCS11)

注記

Sign

Verify signature

注記

Related articles

検索結果