How to use jarsigner to sign JARs files example – TheServerSide.com

Community driven content discussing all aspects of software development from DevOps to design patterns.

When distributing applications as JAR, EAR or WAR files, it’s a good practice, especially if other users are downloading your archives over the public internet, to digitally sign JAR files with jarsigner.
The jarsigner tool is bundled with every Java JDK install, is found in the JDK’s bin directory, and is likely accessibly directly through a command prompt or terminal window so long as the JDK’s bin directory has been put on your operating system’s PATH.
To sign a JAR with jarsigner, you first need to create a public and private key. The private key will sign the JAR, and the public key will be able to attest to the veracity of the signature.
The JDK’s keytool can be used to create the public and private keys, and have them stored in a local keystore. The command to perform this operation, which requires a variety of details from the user in order to create the key, is as follows:
With the keys create and stored, export the server certificate to the filesystem so we can use it in the jarsigner’s sign and verify process.
With the keystore created and the server.cer file on the filesystem, we can then use the jarsigner tool to digitally sign the JAR file. In this case, the JAR file to digitally sign is named spock-lizard-1.0.jar. The name of the digitally signed JAR file will be signedjar.jar. The command to perform this operation is as follows:
The following jarsigner example will use the generated public and private keys to digitally sign the original JAR with the jarsigner command. A new, signed JAR named signedjar.jar will be created.
Finally, with the digitally signed JAR created, you can use the jarsigner tool to verify the signature:
This jarsigner example creates a new keystore, exports a digital certificate and creates a new JAR that is digitally signed.
In review, the steps to digitally sign JAR files with jarsigner, assuming you have Java installed, are:
With your JAR files digitally signed with jarsigner, your clients will be confident that the files they run on their local VMs are indeed distributed by a vendor they trust.
 
Application modernization should be at the top of an enterprise’s to-do list for five reasons, including security concerns, …
While CQRS can provide a lot of value when it comes to structuring an event-driven architecture, improper practices can cause …
Naming APIs can be a daunting process, since it requires a balance between simplicity and clarity. JJ Geewax, author of ‘API …
Trends come and go, but AIOps and MLOps, spatial computing, and a low-code and high-code toolkit are the future of software …
OrgScan extends CodeScan’s security scanning ability in Salesforce. CodeScan Shield aims to simplify security for devs as the …
A software team needs quality to ensure a strong product. Here are some ways to implement quality in all facets of development …
Discover the differences between Azure Data Factory and SSIS, two ETL tools. These contrasts include key data management features…
An extension of the Azure DevOps service, Azure Artifacts can help developers manage and share packages to streamline the overall…
Oracle is allowing its database users to access those services on rival clouds, while aggressively pursuing AWS customers in …
A threat actor this weekend published in-development footage from a forthcoming ‘Grand Theft Auto’ video game and claimed to have…
Bug bounty programs have a number of benefits and challenges. Before adopting such a program at your organization, read up on the…
The U.S. Department of Justice issued a report to President Biden on its various enforcement efforts around cybercrime and …
Many organizations struggle to manage their vast collection of AWS accounts, but Control Tower can help. The service automates …
There are several important variables within the Amazon EKS pricing model. Dig into the numbers to ensure you deploy the service …
AWS users face a choice when deploying Kubernetes: run it themselves on EC2 or let Amazon do the heavy lifting with EKS. See …
All Rights Reserved, Copyright 2000 – 2022, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info

source

Leave a Comment