JAR files have the capability of adding signature to them. One can sign and verify JAR files for authenticity. JDK comes with a tool named as jarsigner which can be used to add a digital signature to the JAR files. Behind the scenes jarsigner uses keystore to generate key and certificate information and adds the same to the JAR files. In this tutorial, we shall see how to digitally sign the JAR file and then verify it.

Adding signature to JAR files

1) First we need to create a new keystore and also create a new key for this keystore. Both the steps of creating the keystore and key can be accomplished by using the following command:

keytool -genkey -keystore newStore -alias myStore

In the above command, we are specifying the new keystore name as newStore with alias as myStore. We have two names for the same store.
When issuing this command, we shall be asked about the keystore password, first name, last name, state, country, organizational unit and organization. The sample output of running the above command looks like:

C:\Windows\System32>keytool -genkey -keystore newStore -alias myStore
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Java Experience
What is the name of your organizational unit?
[Unknown]: javaexp
What is the name of your organization?
[Unknown]: Java
What is the name of your City or Locality?
[Unknown]: Delhi
What is the name of your State or Province?
[Unknown]: Delhi
What is the two-letter country code for this unit?
[Unknown]: IN
Is CN=Java Experience, OU=javaexp, O=Java, L=Delhi, ST=Delhi, C=IN correct?
[no]: y

Enter key password for
(RETURN if same as keystore password):

C:\Windows\System32>

2) Now we need to create a new certificate using the above keystore. This certificate shall then be used to add digital signature to JAR file. The command to create a new certificate looks like:

keytool -selfcert -alias myStore -keystore newStore

The output of above command is:

C:\Windows\System32>keytool -selfcert -alias myStore -keystore newStore
Enter keystore password:

C:\Windows\System32>

As you can notice here that the same tool “keytool” is being used for generating the certificate but with different arguments.

3) Now we need to add signature or sign the JAR file by using the jarsigner tool which is shipped with JDK:

jarsigner -keystore newStore c:/test.jar myStore

The jarsigner will ask for keystore password and then generate the certificate and add to the jar file mentioned in the command. The output of above command shall look like:

C:\Windows\System32>jarsigner -keystore newStore c:/test.jar myStore
Enter Passphrase for keystore:

Warning:
The signer certificate will expire within six months.

C:\Windows\System32>

4) The result of adding the digital signature to Java JAR files is that some files are automatically created if not present earlier. These are:

META-INF/MANIFEST.MF
META-INF/MYSTORE.DSA
META-INF/MYSTORE.SF

If we open and see the contents of these files, we can see that certificate digest has been added in encrypted form.

Verifying the authenticity of JAR file

JAR files can be made executable by adding few lines of code in Manifest.mf file which is present in the META-INF folder. But the problem is that these JAR files can contain malicious code which harm the machine. By performing the authenticity check, we can be sure that the source for this JAR file is as expected and hence improve the security of our application. The command to verify the signature of a JAR file is:

jarsigner -verify -verbose -certs c:/test.jar

Simply replace the jar file path in the above command to see the details of certificate present in the JAR file. A sample output of the above command shall look like:

C:\Windows\System32>jarsigner -verify -verbose -certs c:/test.jar

4031 Fri Jan 04 11:24:46 IST 2013 META-INF/MANIFEST.MF
4152 Fri Jan 04 11:41:08 IST 2013 META-INF/MYSTORE.SF
1033 Fri Jan 04 11:41:08 IST 2013 META-INF/MYSTORE.DSA
4152 Fri Jan 04 11:24:46 IST 2013 META-INF/MYSELF.SF
990 Fri Jan 04 11:24:46 IST 2013 META-INF/MYSELF.DSA
sm 1106 Tue Aug 14 20:38:02 IST 2001 org/jdom/IllegalTargetException.class

X.509, CN=Java Experience, OU=javaexp, O=Java, L=Delhi, ST=Delhi, C=IN
[certificate will expire on 4/4/13 11:37 AM]

……………………………..
……………………………..
……………………………..
X.509, CN=Java Experience, OU=javaexp, O=Java, L=Delhi, ST=Delhi, C=IN
[certificate will expire on 4/4/13 11:37 AM]

X.509, CN=Java Experience, OU=javaexp, O=Java, L=Delhi, ST=Delhi, C=IN
[certificate will expire on 4/4/13 11:37 AM]

s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope

jar verified.

Warning:
This jar contains entries whose signer certificate will expire within six months.

C:\Windows\System32>

It is important to note that multiple certificates can be added to a single JAR file and when verifying the certificate, we shall list of all X.509 certificates added to a JAR file.

Signing JAR file with certificate and verification admin Core Java
JAR files have the capability of adding signature to them. One can sign and verify JAR files for authenticity. JDK comes with a tool named as jarsigner which can be used to add a digital signature to the JAR files. Behind the scenes jarsigner uses keystore to generate key...
JAR files have the capability of adding signature to them. One can sign and verify JAR files for authenticity. <a href="http://www.javaexperience.com/java-difference-between-jvm-jre-jdk-jit/" title="Difference between JVM JRE JDK JIT">JDK</a> comes with a tool named as jarsigner which can be used to add a digital signature to the JAR files. Behind the scenes jarsigner uses keystore to generate key and certificate information and adds the same to the JAR files. In this tutorial, we shall see how to digitally sign <a href="http://www.javaexperience.com/what-is-the-difference-between-jarwar-and-ear-files/" title="What is the difference between JAR,WAR and EAR files">the JAR file</a> and then verify it. <h2>Adding signature to JAR files</h2> <strong>1) First we need to create a new keystore</strong> and also create a new key for this keystore. Both the steps of creating the keystore and key can be accomplished by using the following command: <em>keytool -genkey -keystore newStore -alias myStore</em> In the above command, we are specifying the new keystore name as newStore with alias as myStore. We have two names for the same store. When issuing this command, we shall be asked about the keystore password, first name, last name, state, country, organizational unit and organization. The sample output of running the above command looks like: <blockquote> C:\Windows\System32>keytool -genkey -keystore newStore -alias myStore Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Java Experience What is the name of your organizational unit? [Unknown]: javaexp What is the name of your organization? [Unknown]: Java What is the name of your City or Locality? [Unknown]: Delhi What is the name of your State or Province? [Unknown]: Delhi What is the two-letter country code for this unit? [Unknown]: IN Is CN=Java Experience, OU=javaexp, O=Java, L=Delhi, ST=Delhi, C=IN correct? [no]: y Enter key password for <myStore> (RETURN if same as keystore password): C:\Windows\System32> </blockquote> <strong>2) Now we need to create a new certificate</strong> using the above keystore. This certificate shall then be used to add digital signature to <a href="http://www.javaexperience.com/important-jar-files-in-jre/" title="Important jar files in JRE">JAR file</a>. The command to create a new certificate looks like: <em>keytool -selfcert -alias myStore -keystore newStore</em> The output of above command is: <blockquote> C:\Windows\System32>keytool -selfcert -alias myStore -keystore newStore Enter keystore password: C:\Windows\System32> </blockquote> As you can notice here that the same tool "keytool" is being used for generating the certificate but with different arguments. <strong>3) Now we need to add signature</strong> or sign the JAR file by using the jarsigner tool which is shipped with JDK: <em>jarsigner -keystore newStore c:/test.jar myStore</em> The jarsigner will ask for keystore password and then generate the certificate and add to the jar file mentioned in the command. The output of above command shall look like: <blockquote> C:\Windows\System32>jarsigner -keystore newStore c:/test.jar myStore Enter Passphrase for keystore: Warning: The signer certificate will expire within six months. C:\Windows\System32> </blockquote> <strong>4) The result of adding the digital signature</strong> to Java JAR files is that some files are automatically created if not present earlier. These are: META-INF/MANIFEST.MF META-INF/MYSTORE.DSA META-INF/MYSTORE.SF If we open and see the contents of these files, we can see that certificate digest has been added in encrypted form. <h2>Verifying the authenticity of JAR file</h2> JAR files can be made executable by adding few lines of code in Manifest.mf file which is present in the META-INF folder. But the problem is that these JAR files can contain malicious code which harm the machine. By performing the authenticity check, we can be sure that the source for this JAR file is as expected and hence <a href="http://www.javaexperience.com/security-on-the-web-avoiding-session-fixation/" title="How to avoid Session Fixation">improve the security</a> of our application. The command to verify the signature of a JAR file is: <em>jarsigner -verify -verbose -certs c:/test.jar</em> Simply replace the jar file path in the above command to see the details of certificate present in the JAR file. A sample output of the above command shall look like: <blockquote> C:\Windows\System32>jarsigner -verify -verbose -certs c:/test.jar 4031 Fri Jan 04 11:24:46 IST 2013 META-INF/MANIFEST.MF 4152 Fri Jan 04 11:41:08 IST 2013 META-INF/MYSTORE.SF 1033 Fri Jan 04 11:41:08 IST 2013 META-INF/MYSTORE.DSA 4152 Fri Jan 04 11:24:46 IST 2013 META-INF/MYSELF.SF 990 Fri Jan 04 11:24:46 IST 2013 META-INF/MYSELF.DSA sm 1106 Tue Aug 14 20:38:02 IST 2001 org/jdom/IllegalTargetException.class X.509, CN=Java Experience, OU=javaexp, O=Java, L=Delhi, ST=Delhi, C=IN [certificate will expire on 4/4/13 11:37 AM] ................................... ................................... ................................... X.509, CN=Java Experience, OU=javaexp, O=Java, L=Delhi, ST=Delhi, C=IN [certificate will expire on 4/4/13 11:37 AM] X.509, CN=Java Experience, OU=javaexp, O=Java, L=Delhi, ST=Delhi, C=IN [certificate will expire on 4/4/13 11:37 AM] s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. Warning: This jar contains entries whose signer certificate will expire within six months. C:\Windows\System32> </blockquote> It is important to note that multiple certificates can be added to a single JAR file and when verifying the certificate, we shall list of all X.509 certificates added to a JAR file.
The following two tabs change content below.
I run this blog with lots of passion. In this website, you will find tutorials on Core Java, Spring, Struts, Web Applications, Portals and Database. Please support me and the website by sharing the posts on your facebook / twitter. You can tap the share button at the top of each post. Thanks for the support.