Java

The Java Archive (JAR) package format can be used for packaging Java applications and libraries.

The format is also used for related technologies, such as Java Applets and Web Start applications, and for technologies such as Android apps and for plugins to different applications etc.

Signed JAR files can optionally include a time-stamp response from a TSA using the RFC#3161 format.

Adding a JAR Signer

The JAR signer in SignServer is called JArchive Signer.

To add a JArchive Signer follow the steps described in the Adding a Plain Signer section but use the template called jarchive_signer.properties.

Using the JArchive Signer

The different methods for submitting a file to be signed described in the section Using the Plain Signer apply for submitting JAR files. For examples, see Plain Signing.

Verifying a Signed JAR File

The Java jarsigner tool can be used to verify the signatures and certificates of JAR files. The tool is available in the Java Development Kit (JDK).

After installing the JDK, open a command prompt, and execute the command (as User) with the path to the signed file:

Jarsigner Verification Example

jarsigner -verify -strict MyJAR-signed.jar  

To get additional information, as well as the certificates, also specify the options -verbose and -certs.

JArchive Signer Options

The most relevant properties to configure for the JArchive Signer are:

Worker Property

Description

SIGNATUREALGORITHM

Specifying the algorithm used to use for the signature.

Example: SHA256withRSA

DIGESTALGORITHM

Algorithm for the digest of the file entries and the manifest.

Example: SHA-256

KEEPSIGNATURE

True if existing signature files should be kept.

REPLACESIGNATURE

True if an existing signature with the same name should be overwritten and not fail with an error.

SIGNATURE_NAME_TYPE

The type of signature name to use. With the type VALUE, the name is taken from the SIGNATURE_NAME_VALUE property. With the type KEYALIAS, the name is taken from the key alias of the key used to sign the response.
Example: KEYALIAS

ZIPALIGN

True if the offset at which each file entry's data starts should be aligned to 4 bytes. Use this for Android apps.

TSA_WORKER

Worker ID or name of internal timestamp signer in the same SignServer if time-stamping should be used and with a time-stamp signer in SignServer.
Example: TimeStampSigner1

TSA_URL

URL of external timestamp authority if time-stamping should be used and with an external TSA.
Example: https://tsa.example.com/authenticode

For all available properties, refer to the SignServer documentation on JArchive Signer.