The Java Archive (JAR) package format can be used for packaging Java applications and libraries.

Signed JAR files can optionally include a time-stamp response from a TSA using the RFC#3161 format.

Adding a JAR Signer

The JAR signer in SignServer is called JArchive Signer.

To configure a JArchive Signer, follow the steps below and use the template called jarchive_signer.properties:

  1. Go to the SignServer Admin Web Workers page and click Add to add a new worker.
  2. On the Add Worker / Load Configuration page, choose the method From Template.
  3. In the Load From Template list menu, select jarchive_signer.properties and click Next.
  4. Click Apply and select the worker name JArchiveSigner.
  5. Click the Configuration tab and make the appropriate adjustments for:

    • NAME: Specify a name.

    • CRYPTOTOKEN: If using SignServer Enterprise, this should match the name of the crypto token configured in the SignServer software installation section. If you are on an Appliance, this crypto token was created for you with the name HSMCryptoToken10. If using SignServer Cloud, a CryptoTokenP12 is provided with the instance, containing all the sample keys and certificates you need, and you can continue to the last step and ensure that your signer is in an ACTIVE state.

  6. Generate a new key pair for the signer, by clicking the Status Summary tab and then Renew Key.

  7. Select a key algorithm, such as RSA, and a key specification such as 2048, and click Generate.

  8. Create a Certificate Signing Request (CSR) for the new key pair by clicking Generate CSR.

  9. Select a signature algorithm like SHA256withRSA and specify a subject DN (name) for the new certificate such as CN=MS Auth Code Signer Test,O=My Company, C=SE, and click Generate.

  10. Click Download and save the CSR file.
  11. Bring the CSR file to your Certification Authority to get the certificate and the CA certificates in return.
    (warning) Before installing certificates in a production system, make sure to check the signer's authorization since the signer will be fully functional and ready to receive requests once the certificates are installed.

  12. Click Install certificates and browse for the certificate files. Start by providing the signer certificate and then follow with the issuing CA certificates in turn. Click Add to list the certificates in the chain.

  13. When all certificates are added in the correct order, click Install.
  14. Once the certificates are installed, the signer should be in state ACTIVE. If not, check the top of its Status Summary page for any errors.

Using the JArchive Signer

To submit a JAR file to be signed, use one of the following available interfaces:

Submit and Sign File using Client Web

The following describes how to submit and sign a JAR with the JArchive signer using the SignServer Client Web form in your web browser.

To download an example JAR and then submit and sign the file using the Client Web pages, do the following:

  1. Download helloworld.jar to test JAR signing.
  2. Go to the SignServer Client Web Generic page.
  3. Scroll down on the page to the Generic Signing Or Validation by File Upload section and specify JArchiveSigner in the Worker Name field.
  4. Click Choose File, select helloworld.jar, and click Submit.
  5. You will be prompted to save the Signed JAR file helloworld.jar.

Submit and Sign File Using Client CLI

To submit a JAR file for signing using the SignServer Client CLI SignClient, send a request to the worker using the following command:

bin/signclient signdocument -workername JArchiveSigner -infile helloworld.jar -outfile helloworldsigned.jar
BASH

where workername is the name of the worker in your SignServer server, infile the path to the unsigned input file to sign, and outfile the filename the signed version will be written to.

Verifying a Signed JAR File

The Java jarsigner tool can be used to verify the signatures and certificates of JAR files. The tool is available in the Java Development Kit (JDK).

After installing the JDK, open a command prompt, and execute the command (as User) with the path to the signed file:

Jarsigner Verification Example

jarsigner -verify -strict MyJAR-signed.jar  
CODE

To get additional information, as well as the certificates, also specify the options -verbose and -certs.

JArchive Signer Options

The most relevant properties to configure for the JArchive Signer are:

Worker Property

Description

SIGNATUREALGORITHM

Specifying the algorithm used to use for the signature.

Example: SHA256withRSA

DIGESTALGORITHM

Algorithm for the digest of the file entries and the manifest.

Example: SHA-256

KEEPSIGNATURE

True if existing signature files should be kept.

REPLACESIGNATURE

True if an existing signature with the same name should be overwritten and not fail with an error.

SIGNATURE_NAME_TYPE

The type of signature name to use. With the type VALUE, the name is taken from the SIGNATURE_NAME_VALUE property. With the type KEYALIAS, the name is taken from the key alias of the key used to sign the response.
Example: KEYALIAS

ZIPALIGN

True if the offset at which each file entry's data starts should be aligned to 4 bytes. Use this for Android apps.

TSA_WORKER

Worker ID or name of internal timestamp signer in the same SignServer if time-stamping should be used and with a time-stamp signer in SignServer.
Example: TimeStampSigner1

TSA_URL

URL of external timestamp authority if time-stamping should be used and with an external TSA.
Example: https://tsa.example.com/authenticode

For all available properties, refer to the SignServer Documentation JArchive Signer section.