Inhaltsverzeichnis

Java code signing

In the JDK two tools are included to do code signing, Keytool and Jarsigner. First tool is to generate and administrate your keys and certificates that are saved in a „keystore“. The Jarsigner is the application used to sign jar files with an alias of your keystore. On this page I show you how to generate a keystore and how to sign your jar's with a self generated certificate. In a second section I will show how to get your keys signed by a CA, in this case I use CAcert.org to get a certificate for my keys. And how to import them to the keystore.

How to generate the minimum things needed for code signing

  1. Generate a keystore and a pair of public and private keys.
    keytool -genkey -alias <alias>

    This generates a new keystore, by default the keystore is saved in .keystore in your home folder.
    You can add -keystore <file name> to save it in an other file.
    genkey triggers to generate a new pair key pair. You will be asked several questions to identify your self.
    -alias is used to identify a keyset, so that you can administer several keys and certificates in one keystore.

  2. Now you can sign your jar files with your new keys.
    jarsigner <jar file> <alias>

    If you have generated the keystore in a different file than the default .keystore then you have to add the -keystore <keystore file> option to the command right in front of the jar file.
    You can add the -verbose option to see what is going on.

  3. To see if everything went well, you can verify your signed jars.
    jarsigner -verify -certs -verbose <jar file>

    -verify to verify the jar is signed.
    -certs to list the also how the containing class files are signed. You need set -verbose option to see this.

What to do to extend your keystore with a certificate from cacert.org

To request a certificate with code signing capability, you have to be an assurer that passed the assurer challenge.

  1. Generate a keystore and a pair of public and private keys.
    keytool -genkey -alias <alias>

    This generates a new keystore, by default the keystore is saved in .keystore in your home folder.
    You can add -keystore <file name> to save it in an other file.
    genkey triggers to generate a new pair key pair. You will be asked several questions to identify your self, there I only entered my email address as name the other questions I didn't answer.
    -alias is used to identify a keyset, so that you can administer several keys and certificates in one keystore.

  2. Generate a CSR (Certificate signing request)
    keytool -certreq -file <csr file> <alias>
  3. Now you have to login on the cacert.org homepage.
  4. Generate a new client certificate for the email address associated in your keys. Check the code signing checkbox to generate a certificate that allows code signing. You also have to enable advanced options and paste there the content of your generated csr (less <csr file>). You can include your name as well by checking the name option.
  5. Download the created certificate (<crt file>).
  6. keytool -importcert -trustcacerts -file <cert file> -alias <alias>
  7. Download cacerts file with root certificate of cacert.org
  8. cd /Library/Java/Home/lib/security/
  9. mv cacerts cacerts.orig
  10. sudo mv cacerts cacerts.orig
  11. sudo cp ~/cacerts .
  12. keytool -importcert -trustcacerts -v -file <crt file> -alias <alias>