Skip to main content

Sign Authenticode with jSign using PKCS11 library

jSign is a flexible code-signing tool that supports signing and timestamping for Windows executables, DLLs, Microsoft Installers (MSI), Cabinet files, Catalog files, Windows packages (APPX/MSIX), and scripts. jSign is a Java implementation of Microsoft Authenticode that is platform independent and provides an alternative to native tools like signcode and signtool on Windows or the Mono development tools on Unix systems.

Follow these instructions to sign directly using jSign and securely reference your private key stored in Software Trust Manager. Alternatively, integrate jSign with Signing Manager Controller (SMCTL) for simplified signing.

Prerequisites

Sign with jSign

The following command can be used to sign on Windows, Linux, or macOS.

Note

jSign uses the same pkcs11configuration.cfg file that is used by the p11tool.

 

To sign with jSign, use the command:

java -jar <path to jsign> --keystore pkcs11.cfg --storepass changeit --storetype PKCS11 --alias <keypair alias> <unsigned file>

Command sample:

java -jar jsign-5.0.jar --keystore pkcs11.cfg --storepass changeit --storetype PKCS11 --alias keypair1 example.exe

Alternative sign command (Linux only)

To sign with jSign on Linux, use the command:

jsign --keystore pkcs11properties.cfg --storepass NONE --storetype PKCS11 --alias <keypair alias> <unsigned file>

Command sample:

jsign –keystore ./conf/pkcs11properties.cfg –storepass NONE –storetype PKCS11 -alias keytool test.ps1