jarsigner.exe : Java Glossary


Java version 1.2 or later tool bundled as part of the JDK (Java Development Kit), for signing jars with DSA (Digital Signature Algorithm) or RSA (Rivest, Shamir and Adelman) certificates. It requires a special Java code-signing certificate. An Authenticode certificate will not do. jarsigner.exe can sign a JAR file using either: It embeds two extra files in the jar:
  1. a signature file, with a .SF extension. These are indirect hashes of the elements of the jar all digitally signed with your private key. The signature can be verified using only your public key, which proves the jar has not been tampered with in any way.
  2. a signature block file, with a .DSA or .RSA extension. This is your binary public key and certificate.

Signing a Jar

Here is how you sign a jar:

jarsigner.exe theapp.jar phony

where theapp.jar is the name of the previously created jar file with your app in it and phony is the alias (short name) for the code signing cert you want to use that is stored in .keystore.

In Java version 1.2 or later, you use jar.exe to create the jar and jarsigner.exe to sign it. You will need to use keytool.exe either to help purchase or fake a digital code-signing certificate before you can use jarsigner.exe. Many of the parameters that jarsigner uses are the same as keytool.exe, so you may find that the keytool.exe docs are helpful.

Don’t sign jars just for the heck of it. It slows down loading because all the hashes need to be computed, every time the classes in the jar are loaded, even if you are not using the security features.

jarsigner.exe includes your code signing certificate in the jar with its public key and the digital signature vouching for it, if any from the certificate authority. Of course, it does not include your private key.

When you use ant to sign jars, the command to invoke jarsigner.exe is called <signjar not <jarsigner.

Make sure you back up your .keystore files especially when upgrading your OS (Operating System) or Java. Otherwise you will lose your code signing certificates.


You can use WinZip to examine your signed jar to make sure all the elements you intended are in there under the right

rem verify a jar is properly signed. Also find out who signed it.
rem find out if it was timestamped.
jarsigner.exe -verify -verbose -certs somejar.jar
rem -30-

You can get hold of the public key included in a signed jar with:

Mystery Solved

Why are the SHA digests different for each file in the MANIFEST.MF and *.SF files?

In the MANIFEST.MF file, the SHA digest value for each file is the SHA digest of the binary contents. In the *.SF file, on the other hand, the digest value for a given file is the hash of the three lines in the MANIFEST.MF for that file.

Why did they do it this way rather than say just signing MANIFEST.MF as a whole? or use the same SHA digests in both files?


Starting with Java 1.7.0_ 51. You can time stamp jars. This lets people continue to use the code even after the certificate used to sign it has expired. You use the -tsa command line option. jarsigner will communicate with time stamping service using RFC 3161 protocol.


Jarsigner.exe replaces the old javakey.exe.

Learning More

Oracle’s JDK Tool Guide to Jarsigner : available:
Oracle’s Technote Guide on Details of how signatures are validated : available:

This page is posted
on the web at:


Optional Replicator mirror
of mindprod.com
on local hard disk J:

Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

Your face IP:[]
You are visitor number