The jarsigner Tool

The next tool we’ll look at is the jarsigner tool; this tool creates signed JAR files. The jarsigner tool uses the information in a keystore to look up information about a particular entity and uses that information either to sign or to verify a JAR file. As we discussed in the section on keytool, the keystore that jarsigner uses is subject to the KeyStore class that has been installed into the virtual machine; if you have your own keystore implementation, jarsigner will be able to use it. Similarly, if you use the standard keystore implementation, but hold the keys in a file other than the default .keystore file, jarsigner will allow you to use that other file as well.

A signed JAR file is identical to a standard JAR file except that a signed JAR file contains two additional entries:

  • SIGNER.SF —A file containing an SHA message digest for each class file in the archive. The digest is calculated from the three lines in the manifest for the class file. The base of this name (SIGNER) varies; it is typically based upon the alias of the keystore entry used to sign the archive.

  • SIGNER.DSA —A file containing the digital signature of the .SF file. The base of this name matches the first part of the .SF file; the extension is the algorithm used to generate the signature. This file also contains the certificate of the entity that signed the archive.

    The algorithm used to generate the signature depends upon the type of the key found in the keystore: if the key is a X509 ...

Get Java Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.