Java code can be signed, which entails obtaining digital certificates and running the jarsigner (or equivalent) tool. You can grant permissions to code that is signed by a particular entity.

If you choose to handle signed code, you must establish a keystore to hold the public keys of the signing entity. Before you run the signed code, you must obtain the public key certificate of the signing entity and install that certificate into your keystore. Some browsers (e.g., Netscape 6) allow you to accept the public key certificate when you first run the signed program, but usually you must install the public key certificate before running the program.

Administration of the keystore is handled by the keytool utility (see Chapter 10). By default, the keystore is held in a file called .keystore in the user’s home directory. When you install a public key certificate into the keystore, you give that certificate an alias that is used to look up the certificate in the future. For example, my public key certificate lists my full name and other identifying information, but you may enter it into your keystore with an alias of sdo. This alias is the information that you list in a policy file.