JArchive Signer

ENTERPRISE  This is a SignServer Enterprise feature.

The signer has the fully qualified class name: org.signserver.module.jarchive.signer.JArchiveSigner

Overview

The signer signs Java Archives or ZIP files (.jar, .war, .ear, .apk and .zip etc) according to the JAR File Specification. The signature can optionally include a timestamp response from a TSA using the RFC#3161 format.

Available Properties

PropertyDescription
SIGNATUREALGORITHM Algorithm for signing.  Optional, default: "SHA256withRSA".
DIGESTALGORITHM Algorithm for message digests. Optional, default: "SHA-256".
ZIPALIGN True if the offset at which each file entry's data starts should be aligned to 4 bytes. Optional, default: False.
KEEPSIGNATURE True if existing signature files should be kept. If disabled, no previous META-INF/*.SF,.RSA,.DS or .EC files are kept. Optional, default: True.
REPLACESIGNATURE True if an existing signature with the same name should be overwritten and not fail with an error. Optional, default: True.
SIGNATURE_NAME_TYPE 

Type of signature name to use:

  • KEYALIAS: Takes the name from the key alias of the key used to sign the response, after converting it according to the signature name rules (see SIGNATURE_NAME_VALUE).
  • VALUE: Takes the name from the SIGNATURE_NAME_VALUE property.

Optional, default: KEYALIAS.

SIGNATURE_NAME_VALUE

The value for the signature name if the SIGNATURE_NAME_TYPE requires a value. With the type VALUE, the name is taken directly from this property but must follow the signature name rules:

  • Only characters from A-Z0-9_.-
  • Minimum 1 character
  • Maximum 8 characters

Optional or required depending on SIGNATURE_NAME_TYPE.

TSA_WORKER 

Worker ID or name of internal (RFC#3161) timestamp signer in the same SignServer. Optional, default: none.

(warning) Cannot be combined with TSA_URL.

TSA_URL 

URL of external (authenticode) timestamp authority. Optional, default: none.

(warning) Cannot be combined with TSA_WORKER.

TSA_USERNAME Login username used if the TSA uses HTTP Basic Auth. Optional, default: none.
TSA_PASSWORD Login password used if the TSA uses HTTP Basic Auth. Required if TSA_USERNAME is specified, default: none.
TSA_POLICYOID Time-stamping policy OID to request from the TSA. Optional, default: none.
TSA_DIGESTALGORITHMAlgorithm for timestamp digests. Optional, default: SHA-256.
DO_LOGREQUEST_DIGEST If a digest of the request should be computed and logged. Optional, default: true.
LOGREQUEST_DIGESTALGORITHM Algorithm used to create the message digest (hash) of the request document to put in the log. Default: SHA256.
DO_LOGRESPONSE_DIGEST If a digest of the response should be computed and logged. Optional, default: true.
LOGRESPONSE_DIGESTALGORITHM Algorithm used to create the message digest (hash) of the response document to put in the log. Default: SHA256.

Worker Log Fields

FieldDescription
REQUEST_DIGEST A message digest (hash) for the request document in hex encoding.
REQUEST_DIGEST_ALGORITHM The name of the message digest (hash) algorithm used for the request digest in the log.
RESPONSE_DIGEST A message digest (hash) for the response document in hex encoding.
RESPONSE_DIGEST_ALGORITHM The name of the message digest (hash) algorithm used for the response digest in the log.