What is a Jar?
A Jar file is a collection of java class files used to perform a specific or generic operation.
The Jar can be an open source API in which case, the source files (.java files) are present in
the package or the Jar can be licensed or owned by an individual or organization in which
case only the compiled java files (.class files) are available.
The functional components of an open source Jar can be modified and in such cases to
authenticate the changes made it is necessary to sign the Jar to avoid any violations to
Java security standards. However, a licensed Jar cannot be modified and hence it is not
required to sign the jar.
Creating Keystore and Certificate files
To sign a Jar file a Keystore and Certificate file which authenticates the source has to be
created.
Keystore File
The Keystore file is a key database file that contains both public keys and private keys.
Public keys are stored as signer certificates while private keys are stored in the personal
certificates. The keys are used for a variety of purposes, including authentication and data
integrity.
Certificate File
A public key certificate (also known as a digital certificate or identity certificate) is an
electronic document which uses a digital signature to bind a public key with an identity —
information such as the name of a person or an organization, their address, and so forth.
The certificate can be used to verify that a public key belongs to an individual
Procedure to create Keystore and Certificate files
Step 1: Open a Notepad and enter the following commands
Note: This is a MS-Dos executable Batch file.
Step 3: Run the batch file
Note: The corresponding java classpath has to be defined either in the user/
system environmental variables section.
Step 4: The respective certificate and Keystore files get created in the same path.
Note: The Keystore file extension has to be explicitly mentioned. For this, rename
the file and include .Keystore to change its file type.
Signing the Jar file
Typically certificates and Keystore are valid for a period of 6 months only.
Procedure to sign Jar file
Step 1: Export the project as jar either with source files / without source files to a specific
folder (for e.g.: D: / Sign Jars/)
Step 2: Place the Keystore, Certificate files and Sign.bat file in the folder D: /Sign Jars/
Step 3: Edit the Sign.bat file by right clicking the file
Step 4: Remove the old command and replace with the command given below
Step 6: The META-INF folder of the jar is updated with the certificate and .dsa file
authenticating the source
Procedure to verify the JAR
Step 1: Open Command editor and navigate to the JAR directory
Step 2: Enter the command jarsigner –verify <JAR Name>.jar
Step 3: If the JAR is signed – Jar Verified is displayed
Else – No manifest. Jar is unsigned is displayed.
A Jar file is a collection of java class files used to perform a specific or generic operation.
The Jar can be an open source API in which case, the source files (.java files) are present in
the package or the Jar can be licensed or owned by an individual or organization in which
case only the compiled java files (.class files) are available.
The functional components of an open source Jar can be modified and in such cases to
authenticate the changes made it is necessary to sign the Jar to avoid any violations to
Java security standards. However, a licensed Jar cannot be modified and hence it is not
required to sign the jar.
Creating Keystore and Certificate files
To sign a Jar file a Keystore and Certificate file which authenticates the source has to be
created.
Keystore File
The Keystore file is a key database file that contains both public keys and private keys.
Public keys are stored as signer certificates while private keys are stored in the personal
certificates. The keys are used for a variety of purposes, including authentication and data
integrity.
Certificate File
A public key certificate (also known as a digital certificate or identity certificate) is an
electronic document which uses a digital signature to bind a public key with an identity —
information such as the name of a person or an organization, their address, and so forth.
The certificate can be used to verify that a public key belongs to an individual
Procedure to create Keystore and Certificate files
Step 1: Open a Notepad and enter the following commands
keytool -genkey -alias <certificate alias name> -keystore <keystore filename>.keystore -keypass <key password> -storepass <keypassword>Step 2: Save the notepad as sign.bat.
keytool -export -keystore <keystore file name> -storepass <key password> -alias <certificate alias name> -file <Certificate File name>
Pause
Note: This is a MS-Dos executable Batch file.
Step 3: Run the batch file
Note: The corresponding java classpath has to be defined either in the user/
system environmental variables section.
Step 4: The respective certificate and Keystore files get created in the same path.
Note: The Keystore file extension has to be explicitly mentioned. For this, rename
the file and include .Keystore to change its file type.
Signing the Jar file
Typically certificates and Keystore are valid for a period of 6 months only.
Procedure to sign Jar file
Step 1: Export the project as jar either with source files / without source files to a specific
folder (for e.g.: D: / Sign Jars/)
Step 2: Place the Keystore, Certificate files and Sign.bat file in the folder D: /Sign Jars/
Step 3: Edit the Sign.bat file by right clicking the file
Step 4: Remove the old command and replace with the command given below
jarsigner -keystore <keystore file name>.keystore -storepass <keypassword> <exported Jar file name>.jar <certificate alias name>Step 5: Run the Sign.bat file
Step 6: The META-INF folder of the jar is updated with the certificate and .dsa file
authenticating the source
Procedure to verify the JAR
Step 1: Open Command editor and navigate to the JAR directory
Step 2: Enter the command jarsigner –verify <JAR Name>.jar
Step 3: If the JAR is signed – Jar Verified is displayed
Else – No manifest. Jar is unsigned is displayed.
