====== Java code signing ======
In the JDK two tools are included to do code signing, ''Keytool'' and ''Jarsigner''. First tool is to generate and administrate your keys and certificates that are saved in a "keystore". The ''Jarsigner'' is the application used to sign jar files with an alias of your keystore. On this page I show you how to generate a keystore and how to sign your jar's with a self generated certificate. In a second section I will show how to get your keys signed by a CA, in this case I use CAcert.org to get a certificate for my keys. And how to import them to the keystore.
===== How to generate the minimum things needed for code signing =====
- Generate a keystore and a pair of public and private keys.keytool -genkey -alias
This generates a new keystore, by default the keystore is saved in ''.keystore'' in your home folder.\\ You can add ''-keystore '' to save it in an other file.\\ ''genkey'' triggers to generate a new pair key pair. You will be asked several questions to identify your self.\\ ''-alias'' is used to identify a keyset, so that you can administer several keys and certificates in one keystore.
- Now you can sign your jar files with your new keys.jarsigner
If you have generated the keystore in a different file than the default ''.keystore'' then you have to add the ''-keystore '' option to the command right in front of the jar file.\\ You can add the ''-verbose'' option to see what is going on.
- To see if everything went well, you can verify your signed jars.jarsigner -verify -certs -verbose
''-verify'' to verify the jar is signed.\\ ''-certs'' to list the also how the containing class files are signed. You need set ''-verbose'' option to see this.
===== What to do to extend your keystore with a certificate from cacert.org =====
To request a certificate with code signing capability, you have to be an [[http://www.cacert.org/policy/CertificationPracticeStatement.php#p1.6|assurer]] that passed the [[http://wiki.cacert.org/AssurerChallenge|assurer challenge]].
- Generate a keystore and a pair of public and private keys.keytool -genkey -alias
This generates a new keystore, by default the keystore is saved in ''.keystore'' in your home folder.\\ You can add ''-keystore '' to save it in an other file.\\ ''genkey'' triggers to generate a new pair key pair. You will be asked several questions to identify your self, there I only entered my email address as name the other questions I didn't answer.\\ ''-alias'' is used to identify a keyset, so that you can administer several keys and certificates in one keystore.
- Generate a CSR ([[wikipedia>Certificate_signing_request|Certificate signing request]])keytool -certreq -file
- Now you have to login on the cacert.org homepage.
- Generate a new ''client certificate'' for the email address associated in your keys. Check the code signing checkbox to generate a certificate that allows code signing. You also have to enable advanced options and paste there the content of your generated csr (''less ''). You can include your name as well by checking the name option.
- Download the created certificate ().
- keytool -importcert -trustcacerts -file -alias
- Download [[http://wiki.cacert.org/CodesigningCert?action=AttachFile&do=view&target=cacerts|cacerts file]] with root certificate of cacert.org
- cd /Library/Java/Home/lib/security/
- mv cacerts cacerts.orig
- sudo mv cacerts cacerts.orig
- sudo cp ~/cacerts .
- keytool -importcert -trustcacerts -v -file -alias
==== Weblinks ====
* [[http://www.ewert-technologies.ca/blog/articles/cross-platform-code-signing|Excelent article about cross-platform code signing]]
* [[http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/packagingAppsForMac.html]]