Skip to main content

Sign Java files with Jarsigner using Java code and PKCS11 integration

Jarsigner is a command-line tool provided as part of the Java Development Kit (JDK). It is used to digitally sign Java Archive (JAR) files and other related artifacts.

Follow these instructions to sign using Java code and securely reference your private key stored in Software Trust Manager. Alternatively, integrate Jarsigner with Signing Manager Controller (SMCTL) for simplified signing.

Prerequisites

Create keypairs and certificates with Java code

Create test keypair and certificate

To use Java setup, generate an RSA test keypair with certificate:

  1. Copy and paste the following in an integrated development environment (IDE) or plain text editor:

    smctl keypair generate rsa <Keypair Name> --cert-alias=<Certificate Name> --cert-profile-id=<Certificate Profile ID> --generate-cert=true --key-type=TEST

    Input the following values:

    1. Unique keypair alias

    2. Unique certificate alias

    3. Certificate profile ID

  2. Save the file as a .bat file.

Note

  • The keypair name and certificate name are must be unique inputs, meaning that they cannot exist on the portal already.

  • When you retrieve your certificate profile ID, ensure that the profile category is Test.

Create production keypair with certificate

To use Java setup, generate an RSA production keypair with certificate:

  1. Copy and paste the following in an integrated development environment (IDE) or plain text editor:

    smctl keypair generate rsa <Keypair Name> --cert-alias=<Certificate Name> --cert-profile-id=<Certificate Profile ID> --generate-cert=true --key-type=PRODUCTION

    Input the following values:

    1. Unique keypair name

    2. Unique certificate name

    3. Certificate profile ID

  2. Save the file as a .bat file.

  3. Run:

    import java.io.IOException; public class SmctlGenerateProductionKeypairCert{ public static void main(String[] args) { { try { String[] command = { "cmd.exe", "/C", "Start", "C:\\smtools\\smtcl_gen_prodcert.bat" }; Process p = Runtime.getRuntime().exec(command); } catch (IOException ex) { } } } }

Note

  • The keypair name and certificate name are must be unique inputs, meaning that they cannot exist on the portal already.

  • When you retrieve your certificate profile ID, ensure that the profile category is Production.

Create certificate from existing keypair

To use Java setup to generate a certificate with an existing keypair:

  1. Copy and paste the following in an integrated development environment (IDE) or plain text editor:

    smctl keypair generate-cert <keypair ID> --cert-alias=<Certificate Name> --cert-profile-id=<Certificate Profile ID> --set-as-default-cert=true

    Input the following values:

    1. Keypair alias

    2. Unique certificate alias

    3. Certificate profile ID

  2. Save the file as a .bat file.

  3. Run:

    import java.io.IOException; public class GenerateCertForKeypair { public static void main(String[] args) { { try { String[] command = { "cmd.exe", "/C", "Start", "C:\\smtools\\smtcl_gen_cert_for_keypair.bat" }; Process p = Runtime.getRuntime().exec(command); } catch (IOException ex) { } } } }

Sign

To sign with Java code:

  1. Copy and paste the following in an integrated development environment (IDE) or plain text editor:

    jarsigner -keystore NONE -storepass NONE -storetype PKCS11 -sigalg <sigalg> -providerClass sun.security.pkcs11.SunPKCS11 -providerArg <path of config file> -signedjar <path of signed jar> <keypair alias> -tsa http://timestamp.digicert.com

    Input the following values:

    1. Keypair alias

    2. Alias of the certificate that will be used to sign

    3. Path to PKCS11 configuration file

    4. Path to the .jar file that needs to be signed

    5. Path where the signed .jar file needs to be saved after it has been signed

  2. Save the file as a .bat file.

  3. Run:

    import java.io.IOException; public class Pkcs11Sign { public static void main(String[] args) { { try { String[] command = { "cmd.exe", "/C", "Start", "C:\\smtools\\sign.bat" }; Process p = Runtime.getRuntime().exec(command); } catch (IOException ex) { } } } }

Verify signature

  1. Copy and paste the following in an integrated development environment (IDE) or plain text editor:

    jarsigner -verify <path of signed file>

    Input the path to the signed jar that needs to be verified.

  2. Run:

    import java.io.IOException; public class Pkcs11Verify { public static void main(String[] args) { { try { String[] command = { "cmd.exe", "/C", "Start", "C:\\smtools\\verify.bat" }; Process p = Runtime.getRuntime().exec(command); } catch (IOException ex) { } } } }