Signing Your JAR File
Problem
You want to digitally sign your JAR file.
Solution
Get or forge a digital certificate, and use the jarsigner program.
Discussion
A JAR file can be digitally signed to verify the identity of its creator. This is very similar to digital signing of web sites: consumers are trained not to enter sensitive information such as credit card numbers into a web form unless the “padlock” icon shows that it is digitally signed. Signing JAR files uses the security API in the core Java 2 platform. You can sign JAR files for use with Java applets (see Chapter 17) or JWS (Section 23.12). In either case, the jarsigner tool is used. This program is part of the Java 2 standard edition.
You can purchase a certificate from one of the commercial signing agencies when you are ready to go live. Meanwhile, for testing, you can " self-sign” a certificate. Here are the steps needed to sign a JAR file with a test certificate:
Create a new key in a new “keystore” as follows:
keytool -genkey -keystore myKeystore -alias myself
The alias “myself” is arbitrary; its intent is to remind you that it is a self-signed key so you don’t put it into production by accident.
The program will prompt you in the terminal window for information about the new key. It will ask for a password for protecting the keystore. Then it will ask for your name, department, organization, city, state, country, and so on. This information will go into the new keystore file on disk.
Create a self-signed test certificate: ...
Get Java Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
