This article guides the developers through the steps of signing a JAR file. The article uses an Authenticode* certificate to sign and verify a JAR, but a JAR signing certificate could also be used to sign and verify through a similar process. Before starting this tutorial, you MUST have a valid certificate file. If this has not been done, please take a look at this tutorial: http://software.com/en-us/articles/how-do-i-get-code-signing-certificate-certifying-authority
If your code signing certificate has already expired, you can optionally renew your certificate and resubmit your application for validation. For more information on code signing certificate renewal, see:Maintaining Valid Certificates
- Windows XP or Windows 7
- JDK 1.5.0 (version 5) or higher
Install the tools
You will require “Keytool” and “Jarsigner” to sign your application with the code signing certificate and verify it. It is provided as a part of the JDK. If you do not already have the JDK installed, you can get the latest version from the Oracle website: http://www.oracle.com/technetwork/java/javase/downloads/index.html You can check for the installed tools in the path: c:\Program Files\Java\jdk1.6.0_25\bin. Please note that depending on the JDK version you have installed, the version number in the path will be different.
Signing the application:
When you are ready to sign your application, from the Jarsigner install directory, issue the below commands:
- c:\Program Files\Java\jdk1.6.0_25\bin>keytool -list -v -storetype pkcs12 -keystore Certificate_File.pfx
This command gives a long output, but the first few lines will contain an alias. You will need this to sign your application with the code signing certificate.
- c:\Program Files\Java\jdk1.6.0_25\bin>jarsigner -storetype pkcs12 -keystore "c:\Certificate_Path\Certificate.pfx" c:\JAR_Path\Test.jar alias -signedjar name_of_signed_jar –verbose
You will now be asked to enter the password for the certificate. When you enter the correct password, the command exits successfully and returns to the command prompt.
An example of an alias:
Verifying the signed application:
Follow the below steps to verify the signature on the JAR application:
- Verify the signature with the below command:
- c:\Program Files\Java\jdk1.6.0_24\bin>jarsigner -verify -verbose -certs c:\JAR_Path\application.jar
In order to see the certificate information, the –certs flag needs to be used. The output will be as shown below:
In order to ensure that the signature on your application remains valid even after the certificate expires, it is strongly recommended that you timestamp the application. The Code Signing Tool makes it very easy to sign your application and timestamp it: http://appdeveloper.intel.com/en-us/article/app-signing-tool-download
Now that your application has been signed by an approved CA, you are ready to upload your signed application to the Intel® Developer Zone portal. You can also view the video for signing JAR files here: http://software.intel.com/en-us/videos/signing-jar-file-video-tutorial There is also an app signing tool for JAR files: http://software.intel.com/en-us/articles/app-signing-tool-download