jarsigner

TLDR

Sign JAR file

$ jarsigner -keystore [keystore.jks] [app.jar] [alias]

Verify signature

$ jarsigner -verify [app.jar]

Verify with details

$ jarsigner -verify -verbose -certs [app.jar]

Sign APK file

$ jarsigner -keystore [keystore.jks] -signedjar [signed.apk] [unsigned.apk] [alias]

Sign with specific algorithm

$ jarsigner -sigalg SHA256withRSA -digestalg SHA-256 [app.jar] [alias]

SYNOPSIS

jarsigner [options] jar-file alias

jarsigner signs and verifies Java Archive (JAR) files. It adds digital signatures to ensure authenticity and integrity, required for Java applets, Android apps, and signed JARs.
The tool uses certificates stored in keystores for signing. Verification checks that contents haven't been modified and validates the signer's certificate.

PARAMETERS

-keystore file

Keystore location.

-storepass pass

Keystore password.

-keypass pass

Key password.

-signedjar file

Output signed JAR name.

-sigalg algo

Signature algorithm.

-digestalg algo

Digest algorithm.

-verify

Verify signature.

-verbose

Verbose output.

-certs

Show certificates.

-tsa url

Timestamp authority URL.

CAVEATS

Weak algorithms deprecated. Keystores need protection. Timestamp recommended for longevity. Android has specific requirements.

HISTORY

jarsigner has been part of the JDK since Java's early days. JAR signing became important for Java applets in browsers and later for Android application distribution. The tool has evolved to support stronger cryptographic algorithms.