Signing JAR Files

Signing JAR Files

We generally digitally sign files in order to make sure that it is trusted. Once you (or your browser) have verified that an applet is from a trusted source, you can have the platform relax security restrictions to let the applet perform operations that would ordinarily be forbidden.
Prerequisites
If you want to Sign any JAR file with Code Signing certificate, please follow the below steps.
1.    Get the Code Signing Certificate with below details.
•    Alias
•    Key Password
•    Storetype
Importing the Keystore

1.    Now you need to import the Code Signing details into your Keystore, to do so please run the below command.
keytool -importkeystore -srckeystore /tmp/signimaging/abc.pfx -srcstoretype pkcs12 -trustcacerts –q destkeystore /$ORACLE_HOME/certstore/your_keystore.jks.
abc.pfx -> Is the Code Signing certificate.
your_keystore.jks - > Is your local keystore.
 -trustcacerts - additional certificates are considered for the chain of trust, namely the certificates in a file named "cacerts".
 -importkeystore - Reads the certificate or certificate chain (where the latter is supplied in a PKCS#7 formatted reply or a sequence of X.509 certificates) from the file cert_file, and stores it in the keystore entry identified by alias.
                  -srcstoretype- This qualifier specifies the type of keystore to be instantiated.

                 -srckeystore- provide the .pfx file here

       -destkeystore- provide the location of your local keystore
After running this command it will display message “Successfully Imported”.
2.    You need to verify whether the Code Signing Certificate entry is made or not in your Keystore. Run below command to check the entry.

keytool -list -v -keystore /u07/oracle/certstore/bisipm_keystore.jks

-keystore- your local keystore
-list –v - The -list command by default prints the MD5 fingerprint of a certificate. If the -v option is specified, the certificate is printed in human-readable format.




JAR Signing

1.    You use the JAR Signing and Verification Tool to sign JAR files and time stamp the signature. You invoke the JAR Signing and Verification Tool by using the “jarsigner” command
2.    Now go to the directory where Jarsigner is present, in our example it is “/$ORACLE_HOME/jrockit-jdk1.6.0_91/bin/” and run the below command.
./jarsigner -keystore /$ORACLE_HOME/certstore/bisipm_keystore.jks /tmp/signimaging/abc.jar my_alias
Here, my_alias is the alias.
/tmp/signimaging/abc.jar- location of your JAR file.
-keystore- your keystore location
It will ask you for keystore password and key password.

3.    Your JAR file is signed now, you need to verify it using below command.

./jarsigner  -verify -verbose /u07/oracle/middleware/Oracle_ECM1/ipm/lib/imaging-client.jar > test.txt



In the test.txt file find the below entry, if this entry is present then you JAR file is signed successfully.