Self-signing Java jar archives
Sometimes you want/need to sign a jar Java archive file with a self-signed key.
To generate the key you will use keytool
:
$ keytool -genkey \
-keyalg <ALGORITHM> \
-alias <ALIAS> \
-keystore <KEYSTORE> \
-validity <VALIDITY>
To sign the already-existing jar with the newly-generated key you will use jarsigner
:
$ jarsigner <JARNAME>.jar -keystore <KEYSTORE> <ALIAS>
So, if you want to sign the MyCoolApp.jar
file with a validity of 365 days (default is 90 days), using the dorkers
alias and a new keystore named dorkers-java
that you keep in ~/Secrets/
, first generate the key:
Note
Remember to update the info with your data (first name, org unit, city, state, etc).
$ keytool -genkey \
-keyalg RSA \
-alias dorkers \
-keystore ~/Secrets/dorkers-java \
-validity 365
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: a
What is the name of your organizational unit?
[Unknown]: b
What is the name of your organization?
[Unknown]: c
What is the name of your City or Locality?
[Unknown]: d
What is the name of your State or Province?
[Unknown]: e
What is the two-letter country code for this unit?
[Unknown]: f
Is CN=a, OU=b, O=c, L=d, ST=e, C=f correct?
[no]: y
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 365 days
for: CN=a, OU=b, O=c, L=d, ST=e, C=f
And sign the jar with the new key.
$ jarsigner MyCoolApp.jar -keystore ~/Secrets/dorkers-java dorkers
Enter Passphrase for keystore:
jar signed.
Warning:
The signer's certificate is self-signed.
To verify the signature use the -verify
flag with jarsigner
.
$ jarsigner -verify MyCoolApp.jar
jar verified.
Warning:
This jar contains entries whose signer certificate is self-signed.
Re-run with the -verbose and -certs options for more details.