jarsigner

Sign a JAR file

$ jarsigner [path/to/file.jar] [keystore_alias]

$ jarsigner -sigalg [algorithm] [path/to/file.jar] [keystore_alias]

$ jarsigner -verify [path/to/file.jar]

jarsigner [options] jar-file alias
jarsigner -verify [options] jar-file

-keystore
    Specifies the location of the keystore file. If not specified, the default keystore (~/.keystore) is used.

-storepass
    Specifies the password for the keystore. It is recommended to use a secure method for password entry rather than directly on the command line for production environments.

-keypass
    Specifies the password for the private key entry associated with the alias. If not provided, the keystore password is used.

-signedjar
    Specifies the name of the signed JAR file to be generated. If omitted, the original jar-file is overwritten (not recommended).

-tsa
    Specifies the URL of a Timestamping Authority (TSA) to include a timestamp in the signature. This is crucial for long-term signature validity.

-verify
    Indicates that the command should verify the signatures on the jar-file rather than signing it.

-verbose
    Displays additional information during the signing or verification process, such as signed entries and certificate details.

-certs
    When verifying, displays information about the certificates embedded in the signature.

-debug
    Enables debugging output, providing more detailed information about the execution.

-sigalg
    Specifies the signature algorithm to be used (e.g., SHA256withRSA). Defaults to an appropriate algorithm based on the key type.

-digestalg
    Specifies the digest algorithm to be used for computing the hash of the JAR entries (e.g., SHA-256). Defaults to SHA-256.

jarsigner is a command-line tool provided with the Java Development Kit (JDK) used to digitally sign JAR files and to verify the authenticity and integrity of already signed JAR files. When a JAR file is signed, a digital signature is embedded within the archive, which is typically generated using a private key from a code-signing certificate. This signature allows recipients to verify the origin of the code and to ensure that the file has not been tampered with since it was signed.

This utility is crucial for deploying Java applets, WebStart applications, and other Java applications that require security policy enforcement. It operates by adding a signature block and a signature file to the JAR's META-INF directory. For verification, jarsigner uses a corresponding public key to decrypt the signature and confirm it matches the JAR's current state and trusted certificate chains. It interacts with keystores to retrieve the necessary signing keys and certificates.

jarsigner heavily relies on a properly configured keystore, which is typically managed using the keytool utility. It is important to note that passing passwords directly on the command line (e.g., via -storepass or -keypass) can pose a security risk as they might be visible in process listings. For long-term validity of signed JARs, using a Timestamping Authority (TSA) via the -tsa or -tsacert options is highly recommended, as it protects against issues with certificate expiration. Finally, jarsigner is a component of the Java Development Kit (JDK), meaning it might not be available in environments where only the Java Runtime Environment (JRE) is installed.

When verifying a JAR file using jarsigner -verify, the tool performs several critical checks. It first verifies the integrity of the JAR contents by comparing the cryptographic digest stored in the signature against a newly computed digest of the files. Simultaneously, it validates the digital signature itself using the public key associated with the signing certificate. Crucially, it also verifies the entire chain of trust of the signing certificate, ensuring it leads back to a trusted root certificate installed in the system's certificate stores. If any part of the JAR file has been modified since it was signed, or if the signature or certificate chain is invalid, expired, or untrusted, jarsigner will report an error or warning, indicating potential tampering or a breach of trust.

jarsigner has been an integral part of the Java Development Kit (JDK) since its early versions, prominently featured from Java 1.2 (released in 1998) onwards. Its introduction marked a significant step in providing a robust mechanism for code signing within the Java ecosystem, enhancing trust and security for deployed Java applications. Over time, its development has focused on integrating support for new cryptographic algorithms, adhering to evolving security standards (such as timestamping and OCSP), and improving performance. It has consistently adapted to incorporate stronger security practices and remains a fundamental utility for ensuring the integrity and authenticity of Java archives.

keytool(1), jar(1), java(1)