Securing Your Java ARchive (JAR) Files
Signing a JAR and Creating a Key
To sign a JAR file and generate the key, you use the jarsigner and keytool commands, respectively. The following instructions will walk you through using the jarsigner with appropriate syntax to sign a JAR file and using the keytool to generate the key. You will understand more about these commands as you progress.The steps involved in this exercise are, in short:
- Generating a key
- Signing the JAR file
- Verifying the signed JAR file
Generating a Key
As previously mentioned, you use the keytool command to generate a key. The following command generates a keystore file. In this case, you will generate the file as mykeystore, which is the value specified for the keystore option.keytool -genkey -alias myalias -keystore mykeystoreThis command results in a series of questions, which you can answer at your discretion. However, you must remember the answers that you provide. Here is a snapshot of the question set with the answers that I choose to provide.
Enter keystore password: password What is your first and last name? [Unknown]: first name What is the name of your organizational unit? [Unknown]: organization What is the name of your organization? [Unknown]: organization name What is the name of your City or Locality? [Unknown]: city name What is the name of your State or Province? [Unknown]: state name What is the two-letter country code for this unit? [Unknown]: IN Is CN=first name, OU=organization, O=organization name, L=city name, ST=state na me, C=IN correct? [no]: yes Enter key password for <myalias> (RETURN if same as keystore password):The result of these answers is a keystore file named mykeystore, which is the value for the keystore option. Notice I did not answered the last question. This allows the system to use the same password that I provided for the keystore.
Key Generation Tip
Manually creating many keystore files with different information can be tedious. Explore the keytool command's capability to accept a file as input that has the needed information for a command's arguments. It is a simple function that you can master in a short amount of time. Also, you can provide a different password for <myalias> and observe how it works.Page 2 of 3
This article was originally published on October 7, 2009