Signing JAR file with certificate and verification
JAR files have the capability of adding signature to them. One can sign and verify JAR files for authenticity. JDK comes with a tool named as jarsigner which can be used to add a digital signature to the JAR files. Behind the scenes jarsigner uses keystore to generate key and certificate information and adds the same to the JAR files. In this tutorial, we shall see how to digitally sign the JAR file and then verify it.
Adding signature to JAR files
1) First we need to create a new keystore and also create a new key for this keystore. Both the steps of creating the keystore and key can be accomplished by using the following command:
keytool -genkey -keystore newStore -alias myStore
In the above command, we are specifying the new keystore name as newStore with alias as myStore. We have two names for the same store.
When issuing this command, we shall be asked about the keystore password, first name, last name, state, country, organizational unit and organization. The sample output of running the above command looks like:
C:\Windows\System32>keytool -genkey -keystore newStore -alias myStore
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Java Experience
What is the name of your organizational unit?
[Unknown]: javaexp
What is the name of your organization?
[Unknown]: Java
What is the name of your City or Locality?
[Unknown]: Delhi
What is the name of your State or Province?
[Unknown]: Delhi
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=Java Experience, OU=javaexp, O=Java, L=Delhi, ST=Delhi, C=IN correct?
[no]: yEnter key password for
(RETURN if same as keystore password):C:\Windows\System32>
2) Now we need to create a new certificate using the above keystore. This certificate shall then be used to add digital signature to JAR file. The command to create a new certificate looks like:
keytool -selfcert -alias myStore -keystore newStore
The output of above command is:
C:\Windows\System32>keytool -selfcert -alias myStore -keystore newStore
Enter keystore password:C:\Windows\System32>
As you can notice here that the same tool “keytool” is being used for generating the certificate but with different arguments.
3) Now we need to add signature or sign the JAR file by using the jarsigner tool which is shipped with JDK:
jarsigner -keystore newStore c:/test.jar myStore
The jarsigner will ask for keystore password and then generate the certificate and add to the jar file mentioned in the command. The output of above command shall look like:
C:\Windows\System32>jarsigner -keystore newStore c:/test.jar myStore
Enter Passphrase for keystore:Warning:
The signer certificate will expire within six months.C:\Windows\System32>
4) The result of adding the digital signature to Java JAR files is that some files are automatically created if not present earlier. These are:
META-INF/MANIFEST.MF
META-INF/MYSTORE.DSA
META-INF/MYSTORE.SF
If we open and see the contents of these files, we can see that certificate digest has been added in encrypted form.
Verifying the authenticity of JAR file
JAR files can be made executable by adding few lines of code in Manifest.mf file which is present in the META-INF folder. But the problem is that these JAR files can contain malicious code which harm the machine. By performing the authenticity check, we can be sure that the source for this JAR file is as expected and hence improve the security of our application. The command to verify the signature of a JAR file is:
jarsigner -verify -verbose -certs c:/test.jar
Simply replace the jar file path in the above command to see the details of certificate present in the JAR file. A sample output of the above command shall look like:
C:\Windows\System32>jarsigner -verify -verbose -certs c:/test.jar
4031 Fri Jan 04 11:24:46 IST 2013 META-INF/MANIFEST.MF
4152 Fri Jan 04 11:41:08 IST 2013 META-INF/MYSTORE.SF
1033 Fri Jan 04 11:41:08 IST 2013 META-INF/MYSTORE.DSA
4152 Fri Jan 04 11:24:46 IST 2013 META-INF/MYSELF.SF
990 Fri Jan 04 11:24:46 IST 2013 META-INF/MYSELF.DSA
sm 1106 Tue Aug 14 20:38:02 IST 2001 org/jdom/IllegalTargetException.classX.509, CN=Java Experience, OU=javaexp, O=Java, L=Delhi, ST=Delhi, C=IN
[certificate will expire on 4/4/13 11:37 AM]……………………………..
……………………………..
……………………………..
X.509, CN=Java Experience, OU=javaexp, O=Java, L=Delhi, ST=Delhi, C=IN
[certificate will expire on 4/4/13 11:37 AM]X.509, CN=Java Experience, OU=javaexp, O=Java, L=Delhi, ST=Delhi, C=IN
[certificate will expire on 4/4/13 11:37 AM]s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scopejar verified.
Warning:
This jar contains entries whose signer certificate will expire within six months.C:\Windows\System32>
It is important to note that multiple certificates can be added to a single JAR file and when verifying the certificate, we shall list of all X.509 certificates added to a JAR file.
