Java Reference
In-Depth Information
Signing Your JAR File
Problem
You want to digitally sign your JAR file.
Solution
Get or forge a digital certificate, and use the jarsigner program.
Discussion
A JAR file can be digitally signed to verify the identity of its creator. This is very similar to
digital signing of websites: consumers are trained not to enter sensitive information such as
credit card numbers into a web form unless the “padlock” icon shows that it is digitally
signed. Signing JAR files uses the Security API in the core Java 2 platform. You can sign
JAR files for use with Java applets (see Chapter 16 ) or JWS (see Java Web Start ) . In either
case, the jarsigner tool included in the JDK is used.
You can purchase a certificate from one of the commercial signing agencies when you are
ready to go live. Meanwhile, for testing, you can “self-sign” a certificate. Here are the steps
needed to sign a JAR file with a test certificate:
1. Create a new key in a new “keystore” as follows:
keytool -genkey -keystore myKeystore -alias myself
The alias myself is arbitrary; its intent is to remind you that it is a self-signed key so
you don't put it into production by accident.
2. The program prompts you in the terminal window for information about the new key.
It asks for a password for protecting the keystore. Then it asks for your name, depart-
ment, organization, city, state, country, and so on. This information goes into the new
keystore file on disk.
3. Create a self-signed test certificate:
keytool -selfcert -alias myself -keystore myKeystore
Search WWH ::




Custom Search