Signing Java .jar Files with the CLI (Command Line Interface) Command Jarsigner
Use this instruction if you have a DigiCert® Extended Validation Code Signing Certificate. A DigiCert® EV Code Signing Certificate is set up to sign Java .jar files. For more information about code signing certificates, see Java Code Signing Certificate Guide.
When using your EV Code Signing Certificate to sign code, a digital signature is applied to your code. This digital signature boosts customer confidence in the code that they are about to download, and helps to improve the adoption of your Java applications. Many end-users simply cancel downloads or installations when they receive a warning that an unknown publisher signed the code.
Along with a more stringent validation process, EV Code Signing Certificates offer superior protection in the form of a Hardware Security Model (HSM) or two-factor authentication with a password-protected USB hardware token.
How To Sign .jar Files Using the CLI Command Jarsigner
Create a file named eToken.cfg that contains the following lines, and save it to your JDK bin folder
(e.g. C:\Program Files (x86)\Java\jdk1.7.0_05\bin).
In Windows Explorer, navigate to the JDK folder.
In the JDK folder, push and hold Shift, right-click on the bin folder, and select Open command window here.
To view the DigiCert® EV Code Signing Certificate and the certificate alias on the token:
Plug in your token.
Run the following command from the command prompt:
keytool -list -keystore NONE -storetype PKCS11 –providerclass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken.cfg
Enter keystore password: [enter password]
Keystore type: PKCS11
Keystore provider: SunPKCS11-eToken
Your keystore contains 1 entry
Certificate fingerprint (SHA2):
In this example, 7800FA4C81523ACA is the certificate alias that you use to sign .jar files.
To use the code signing certificate on the token to sign file.jar, run the following command from the command prompt:
jarsigner -tsa http://timestamp.digicert.com -verbose -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken.cfg "C:\path\to\file.jar" "7800FA4C81523ACA"
If the command executed successfully, you should see something similar to the following output:
Enter Passphrase for keystore:
requesting a signature timestamp
TSA location: http://timestamp.digicert.com
Buy an EV Code Signing Certificate Today!Buy Now
Program pauses and does not prompt you to enter your password
If after running the keytool or jarsigner command, the program pauses and does not prompt you for a password, unplug the device (token) and plug it back in. Run the command again. This time it should work.
"jarsigner error: java.lang.ClassNotFoundException: sun.security.pkcs11.SunPKCS11"
This error occurs when using a 64-bit version of the JDK. To eliminate this error, download and use a 32-bit version of the JDK.
"jarsigner error: java.lang.RuntimeException: keystore load: load failed"
This error may occur, if you entered the wrong password.
"keytool error: java.security.KeyStoreException: PKCS11 not found"
This error occurs if your config file fails to load correctly, or the config file points to a file that does not exist (e.g. library=c:\WINDOWS\system32\eTPKCS11.dll).
This error sometimes indicates that token's device drivers are not installed on your computer.