Sign Java files with Jarsigner using Java code and PKCS11 integration
Jarsigner is a command-line tool provided as part of the Java Development Kit (JDK). It is used to digitally sign Java Archive (JAR) files and other related artifacts.
Follow these instructions to sign using Java code and securely reference your private key stored in Software Trust Manager. Alternatively, integrate Jarsigner with Signing Manager Controller (SMCTL) for simplified signing.
Prerequisites
Download and configure Software Trust Manager clients tools
Create keypairs and certificates with Java code
Create test keypair and certificate
To use Java setup, generate an RSA test keypair with certificate:
Copy and paste the following in an integrated development environment (IDE) or plain text editor:
smctl keypair generate rsa <Keypair Name> --cert-alias=<Certificate Name> --cert-profile-id=<Certificate Profile ID> --generate-cert=true --key-type=TEST
Input the following values:
Certificate profile ID
Save the file as a .bat file.
Note
The keypair name and certificate name are must be unique inputs, meaning that they cannot exist on the portal already.
When you retrieve your certificate profile ID, ensure that the profile category is Test.
Create production keypair with certificate
To use Java setup, generate an RSA production keypair with certificate:
Copy and paste the following in an integrated development environment (IDE) or plain text editor:
smctl keypair generate rsa <Keypair Name> --cert-alias=<Certificate Name> --cert-profile-id=<Certificate Profile ID> --generate-cert=true --key-type=PRODUCTION
Input the following values:
Certificate profile ID
Save the file as a .bat file.
Run:
import java.io.IOException; public class SmctlGenerateProductionKeypairCert{ public static void main(String[] args) { { try { String[] command = { "cmd.exe", "/C", "Start", "C:\\smtools\\smtcl_gen_prodcert.bat" }; Process p = Runtime.getRuntime().exec(command); } catch (IOException ex) { } } } }
Note
The keypair name and certificate name are must be unique inputs, meaning that they cannot exist on the portal already.
When you retrieve your certificate profile ID, ensure that the profile category is Production.
Create certificate from existing keypair
To use Java setup to generate a certificate with an existing keypair:
Copy and paste the following in an integrated development environment (IDE) or plain text editor:
smctl keypair generate-cert <keypair ID> --cert-alias=<Certificate Name> --cert-profile-id=<Certificate Profile ID> --set-as-default-cert=true
Input the following values:
Certificate profile ID
Save the file as a .bat file.
Run:
import java.io.IOException; public class GenerateCertForKeypair { public static void main(String[] args) { { try { String[] command = { "cmd.exe", "/C", "Start", "C:\\smtools\\smtcl_gen_cert_for_keypair.bat" }; Process p = Runtime.getRuntime().exec(command); } catch (IOException ex) { } } } }
Sign
To sign with Java code:
Copy and paste the following in an integrated development environment (IDE) or plain text editor:
jarsigner -keystore NONE -storepass NONE -storetype PKCS11 -sigalg <sigalg> -providerClass sun.security.pkcs11.SunPKCS11 -providerArg <path of config file> -signedjar <path of signed jar> <keypair alias> -tsa http://timestamp.digicert.com
Input the following values:
Path to the .jar file that needs to be signed
Path where the signed .jar file needs to be saved after it has been signed
Save the file as a .bat file.
Run:
import java.io.IOException; public class Pkcs11Sign { public static void main(String[] args) { { try { String[] command = { "cmd.exe", "/C", "Start", "C:\\smtools\\sign.bat" }; Process p = Runtime.getRuntime().exec(command); } catch (IOException ex) { } } } }
Verify signature
Copy and paste the following in an integrated development environment (IDE) or plain text editor:
jarsigner -verify <path of signed file>
Input the path to the signed jar that needs to be verified.
Run:
import java.io.IOException; public class Pkcs11Verify { public static void main(String[] args) { { try { String[] command = { "cmd.exe", "/C", "Start", "C:\\smtools\\verify.bat" }; Process p = Runtime.getRuntime().exec(command); } catch (IOException ex) { } } } }