u jarsigner.exe : Java Glossary

jarsigner.exe : Java Glossary

jarsigner.exe

Java version 1.2 or later tool bundled as part of the JDK (Java Development Kit), for signing jars with DSA (Digital Signature Algorithm) or RSA (Rivest, Shamir and Adelman) certificates. Replaces javakey.exe. It is the analog of Netscape signtool.exe. It requires a special Java code-signing certificate. A Netscape or Authenticode certificate will not do. jarsigner.exe can sign a JAR file using either:

DSA with the SHA-1 (Secure Hash Algorithm 1) digest algorithm. Needed for JDK 1.2/1.3 compatibility.
In Java version 1.4 or later, RSA algorithm with the SHA-1 digest algorithm, or MD5 (Message Digest algorithm 5) in previous versions.

It embeds two files in the jar:

a signature file, with a .SF extension. These are the hashes of the elements of the jar encrypted with your private key. They can be verified by decrypting with your public key.
a signature block file, with a .DSA or .RSA extension. This is your binary public key and certificate.

jarsigner.exe theapp.jar phony

where theapp.jar is the name of the previously created jar file with your app in it, and phony is the alias (short name) for the code signing cert you want to use.

In Java version 1.2 or later, you use jar.exe to create the jar and jarsigner.exe to sign it. You will need to use keytool.exe either to help purchase or fake a digital code-signing certificate before you can use jarsigner.exe. Many of the parameters that jarsigner uses are the same as keytool.exe, so you may find that my keytool.exe docs are helpful.

Don’t sign jars just for the heck of it. It slows down loading because all the hashes need to be computed, every time the classes in the jar are loaded, even if you are not using the security features.

jarsigner.exe includes your code signing certificate in the jar with its public key and the digital signature vouching for it, if any from the certificate authority. Of course it does not include your private key.

When you use ant to sign jars, the command to invoke jarsigner.exe is called <signjar not <jarsigner.

Make sure you back up your .keystore files especially when upgrading your OS (Operating System) or Java. Otherwise you will lose your code signing certificates.

Verifying

You can use WinZip to examine your signed jar to make sure all the elements you intended are in there under the right

rem verify a jar is properly signed
jarsigner.exe -verify -verbose somejar.jar

You can get hold of the public key included in a signed jar with:

Learning More

Oracle’s JDK Tool Guide to Jarsigner : available:

on the web at Oracle.com
in the current JDK 1.7.0_04 on your local Windows J: drive.

jar
jar.exe
Java Web Start
JDK
KeyTool IUI: third party GUI version of keytool
keytool.exe
signed Applets
signtool.exe
timestamp
timestamping
tools

	You can get the freshest copy of this page from:	or possibly from your local J: drive (Java virtual drive/mindprod.com website mirror)
	http://mindprod.com/jgloss/jarsignerexe.html	J:\mindprod\jgloss\jarsignerexe.html
	Please email your feedback for publication, letters to the editor, errors, omissions, typos, formatting errors, ambiguities, unclear wording, broken/redirected link reports, suggestions to improve this page or comments to Roedy Green : . If you want your message, your name or email kept confidential, not considered for public posting, please explicitly specify that. Unless you state otherwise, I will treat your message as a letter to the editor that I may or may not publish in the feedback section. After that, it will be too late to retract it. If you disagree with something I said, please quote it and cite the web page where you found it, tell me why you think it is wrong, and, if possible, provide some supporting evidence. Threatening to kill me or spouting obscenities has yet to persuade me to change my mind.
	Canadian Mind Products
	mindprod.com IP:[65.110.21.43]
view Blog	Your face IP:[38.107.179.211]
Feedback	You are visitor number 44,191.