Sign Java files with Jarsigner using Java Cryptography Extension (JCE) integration

Jarsigner is a command-line tool and JCE is a framework within the Java Development Kit (JDK). It is used to digitally sign Java Archive (JAR) files and other related artifacts.

Tip

Signing with JCE is recommended over PKCS11 and KSP library options because it is:

Compatible with any operating system that supports Java (Windows, Linux, macOS, Solaris, and AIX)
Compatible with any Java architecture, including: 64-bit, 32-bit, and ARM processors.

Follow these instructions to sign directly using Jarsigner, JCE and securely reference your private key stored in Software Trust Manager.

Prerequisites

Download JCE library
Install JDK or OpenJDK (compatible with version 8 and higher)
Note
Testing for EdDSA signature generation requires Java version 15 or higher.
Configure your credentials
Keypair alias
Unsigned jar file

What files can Jarsigner sign using the JCE library?

.jar
.ear
.sar
.war

Jarsigner parameters for JCE

Jarsigner parameters are case-sensitive and must be passed in each request.

Table 1. Common parameters for jarsigner and keytool

Parameter	Value
-keystore	none
-storepass	changeit
-storetype	DIGICERT
-providerclass	com.digicert.jce.Provider

Jarsigner commands for JCE

The examples shown for the commands below use Java JDK 8, however DigiCert® Software Trust Manager supports JDK versions 8-17.

Note

The parameters may vary depending on which JDK version is installed.

To list jarsigner parameters, run:

jarsigner

Sign

To sign, run:

Example 1. Windows

Command:

jarsigner -J-Djava.class.path=<file_path>\digicert-jce-1.0.jar;<file_path>\bcprov-jdk18.jar -keystore NONE -storetype DIGICERT -storepass changeit -providerClass com.digicert.jce.Provider -signedjar <signed_jar_file> -sigalg <signature_algorithm> -tsa http://timestamp.digicert.com <unsigned_jar_file> <keypair alias>

Command sample:

jarsigner -J-Djava.class.path=C:\Users\test\digicert-jce-1.0.jar;C:\Users\test\bcprov-jdk18.jar -keystore NONE -storetype DIGICERT -storepass changeit -providerClass com.digicert.jce.Provider -signedjar C:\Users\test\signed.jar -sigalg SHA256withRSA -tsa http://timestamp.digicert.com C:\Users\test\unsigned.jar keypair2

Example 2. Linux

Command:

jarsigner -J-Djava.class.path=<file_path>/digicert-jce-1.0.jar:<file_path>/bcprov-jdk18.jar -keystore NONE -storetype DIGICERT -storepass changeit -providerClass com.digicert.jce.Provider -signedjar <signed_jar_file> -sigalg <signature_algorithm> -tsa http://timestamp.digicert.com <unsigned_jar_file> <keypair alias>

Command sample:

jarsigner -J-Djava.class.path=/home/test/digicert-jce-1.0.jar:/home/test/bcprov-jdk18.jar -keystore NONE -storetype DIGICERT -storepass changeit -providerClass com.digicert.jce.Provider -signedjar /home/test/signed.jar -sigalg SHA256withRSA -tsa http://timestamp.digicert.com /home/test/unsigned.jar keypair2

Example 3. macOS

Command:

jarsigner -J-Djava.class.path=<file_path>/digicert-jce-1.0.jar:<file_path>/bcprov-jdk18.jar -keystore NONE -storetype DIGICERT -storepass changeit -providerClass com.digicert.jce.Provider -signedjar <signed_jar_file> -sigalg <signature_algorithm> -tsa http://timestamp.digicert.com <unsigned_jar_file> <keypair alias>

Command sample:

jarsigner -J-Djava.class.path=/home/test/digicert-jce-1.0.jar:/home/test/bcprov-jdk18.jar -keystore NONE -storetype DIGICERT -storepass changeit -providerClass com.digicert.jce.Provider -signedjar /home/test/signed.jar -sigalg SHA256withRSA -tsa http://timestamp.digicert.com /home/test/unsigned.jar keypair2

Verify signature

To verify if a file is signed, run:

jarsigner -verify "<path to signed jar file>" -certs -verbose

Note

To return more details, include -certs -verbose as an optional parameters.

Sample command:

jarsigner -verify "C:\Users\Name\Desktop\Signed\example.jar"

Sign Java files with Jarsigner using Java Cryptography Extension (JCE) integration

Tip

Prerequisites

Note

What files can Jarsigner sign using the JCE library?

Jarsigner parameters for JCE

Jarsigner commands for JCE

Note

Sign

Verify signature

Note

Related articles