Self-signing Java jar archives

January 8, 2021    Article    287 words    2 mins read

Sometimes you want/need to sign a jar Java archive file with a self-signed key.

To generate the key you will use keytool:

$ keytool -genkey \
	-keyalg <ALGORITHM> \
	-alias <ALIAS> \
	-keystore <KEYSTORE> \
	-validity <VALIDITY>

To sign the already-existing jar with the newly-generated key you will use jarsigner:

$ jarsigner <JARNAME>.jar -keystore <KEYSTORE> <ALIAS>

So, if you want to sign the MyCoolApp.jar file with a validity of 365 days (default is 90 days), using the dorkers alias and a new keystore named dorkers-java that you keep in ~/Secrets/, first generate the key:

Note

Remember to update the info with your data (first name, org unit, city, state, etc).
$ keytool -genkey \
	-keyalg RSA \
	-alias dorkers \
	-keystore ~/Secrets/dorkers-java \
	-validity 365
Enter keystore password:
Re-enter new password:
What is your first and last name?
	[Unknown]:  a
What is the name of your organizational unit?
	[Unknown]:  b
What is the name of your organization?
	[Unknown]:  c
What is the name of your City or Locality?
	[Unknown]:  d
What is the name of your State or Province?
	[Unknown]:  e
What is the two-letter country code for this unit?
	[Unknown]:  f
Is CN=a, OU=b, O=c, L=d, ST=e, C=f correct?
	[no]:  y

Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 365 days
	for: CN=a, OU=b, O=c, L=d, ST=e, C=f

And sign the jar with the new key.

$ jarsigner MyCoolApp.jar -keystore ~/Secrets/dorkers-java dorkers
Enter Passphrase for keystore:
jar signed.

Warning:
The signer's certificate is self-signed.

To verify the signature use the -verify flag with jarsigner.

$ jarsigner -verify MyCoolApp.jar

jar verified.

Warning:
This jar contains entries whose signer certificate is self-signed.

Re-run with the -verbose and -certs options for more details.