jarsigner.exe : Java Glossary

2007-08-09 by Roedy Green ©1996-2008 Canadian Mind Products
Go to : punctuation 0-9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z (all)

jarsigner.exe

JDK 1.2+ tool bundled as part of the JDK, for signing jars with DSA or RSA certificates. Replaces javakey.exe. It is the analog of Netscape signtool.exe. It requires a special Java code-signing certificate. A Netscape or Authenticode certificate will not do. jarsigner.exe can sign a JAR file using either:

DSA (Digital Signature Algorithm) with the SHA-1 digest algorithm. Needed for JDK 1.2/1.3 compatibility.
In JDK 1.4+, RSA algorithm with the SHA-1 digest algorithm, or MD-5 in previous versions.

It embeds two files in the jar:

a signature file, with a .SF extension. These are the hashes of the elements of the jar encrypted with your private key. They can be verified by decrypting with your public key.
a signature block file, with a .DSA or .RSA extension. This is your binary public key and certificate.

In the simplest case all you need is this:

jarsigner.exe theapp.jar phony

where theapp.jar is the name of the previously created jar file with your app in it, and phony is the alias (short name) for the code signing cert you want to use.

Mitch Gallant has written an essay on the differences between signtool.exe and jarsigner.exe. In java 1.2+, you use jar.exe to create the jar and jarsigner.exe to sign it. You will need to use keytool.exe either to help purchase or fake a digital code-signing certificate before you can use jarsigner.exe. Many of the parameters that jarsigner uses are the same as keytool.exe, so you may find that my keytool.exe docs are helpful.

Don’t sign jars just for the heck of it. It slows down loading because all the hashes need to be computed, every time the classes in the jar are loaded, even if you are not using the security features.

jarsigner.exe includes your code signing certificate in the jar with its public key and the digital signature vouching for it, if any from the certificate authority. Of course it does not include your private key.

When you use ant to sign jars, the command to invoke jarsigner.exe is called <signjar not <jarsigner.

Make sure you back up your .keystore files especially when upgrading your OS or Java. Otherwise you will lose your code signing certificates.

Verifying

You can use Winzip to examine your signed jar to make sure all the elements you intended are in there under the right path names. You can also verify the jar signature with:

rem verify a jar is properly signed
jarsigner.exe -verify -verbose somejar.jar

You can get hold of the public key included in a signed jar with:

Learning More

Sun’s JDK Tool Guide to Jarsigner : available:

on the web at java.Sun.com
in the JDK 1.6.0_06 on your local J: drive.

jar
jar.exe
Java Web Start
JDK
keytool.exe
signed Applets
signtool.exe
timestamp
timestamping
tools

	Please email your feedback for publication, errors, omissions, broken/redirected link reports and suggestions to improve this page to Roedy Green :
	Canadian Mind Products
	mindprod.com IP:[65.110.21.43]
	Your face IP:[38.103.63.18]
	You are visitor number 24,006.
	You can get a fresh copy of this page from:	or possibly from your local J: drive (Java virtual drive/Mindprod website mirror)
	http://mindprod.com/jgloss/jarsignerexe.html	J:\mindprod\jgloss\jarsignerexe.html