Signing jar files with jarsigner
Most of the information in this note can be found in the `help' section of the jarsigner and keytool utilities:
Criteria for Signature Validity
The criteria of validity of a digital signature are the following:
- No modification of the archive resources after the signature,
- certificate not outdated (or not yet valid).
Moreover, the signer of the archive must be known, i.e. its public key certificate must be identified as trusted before the validation. Otherwise, any malicious third party can forge a similar certificate, potentially with the same signer name, and present a coherent signed archive.
Additional criteria of archive signature validity are defined in the context of the OSGi framework, that are specific to the deployment of components from third party repositories:
- No resource removed from the archive after the signature,
- No resource added from the archive after the signature,
- The digital signature must immediately follow the Manifest file of the archive, to prevent caching malicious files.
This means that according to the security level you need, the Sun criteria of signature validity may not be sufficient.
Use of the JarSigner Tool
The Sun `Jarsigner' is a utility delivered along with Sun JDK. It has the ability to sign Java Archives (Jars), and to verify the validity their signature.
The use of the Sun Jarsigner tool is highlighted with an example of an OSGi test bundle called fridgebundle-1.1.jar. OSGi archives are a specific type of jar files.
So as to test the jarsigner tool, you need to have a public/private key pair. The example are given with Bob's key pair.
- If you want to make the tests with Bob's key pair, download the keystore file named <a href="docs_techNotes/refArchive/testkeystore">testkeystore</a>. Store it in the
- If you want oto create your own public/private key pair, see the paragraph relative to <a href="#keytool">the keytool utility</a> to learn about it.
Following operations can be performed with the jarsigner tool. Create a
refArchive directory, and store each example bundle in it:
* Sign a given jar archive
* Check that a signed jar is valid
* Verify a signed jar with unknown signer
* Some test with an invalid archive signature
Remark: No warning is issued by the Sun Jarsigner if the signer of the archive is unknow to you. No matter who has signed the archive, this latter will be considered as valid !
Use of the Keytool Utility
You can find further informations here: