Saturday, 8 March 2014

Java JAR signing

Java security API provides features to digitally sign a jar. To see how to sign a text refer this blog. In this post we will see how a jar can be signed and what is the need to do so.

As mentioned before in previous posts, a signed data is just like a page with the signature of a person. The person reeving the page can identify that the page is signed by a person who portrays himself to be one. This type of security is same as security we see in bank cheque. The person signs a cheque and deposits it in a bank. In the bank the cashier verifies the signature on the cheque with the signature of the same person from the bank records.

Jar signing is basically and mostly used in Java Applet. A java applet is a piece of code that is embedded in html page and runs when the web page gets loaded. Applet are mostly stated to be harmful as they can run without any prior notification to the user who has loaded the page. To make user believe that the applet is from a secured source the programmer sign the applet. Then at the client side the browser verifies the signature of the signed jar, applet in this case.

Lets see a example below to sign a jar and then verify it.

public class MyClass {
 public static void main(String[] args) {

  File file = new File("C:/Softwares/robots.txt");
  FileInputStream fis = null;

  try {
   fis = new FileInputStream(file);
   int content;
   while ((content = != -1) {
    // convert to char and display it
    System.out.print((char) content);

  } catch (IOException e) {
  } finally {
   try {
    if (fis != null)
   } catch (IOException ex) {

To sign a jar, one needs to generate a private key/public key pair. Note that to sign a jar you will need a private key and the paired public key is send on the other side with the signed jar.
Run below command to generate the private key /public key pair.

keytool -genkeypair -alias client -keyalg RSA -keysize 1024 -storetype jceks -validity 365 -keypass password -keystore clientkeystore.jck -storepass password -dname "cn=localhost, ou=Verisign, o=MyComp Inc, l=Foster City, st=California, c=US"
Before signing the jar we need to create the jar of the java class mentioned above. Use the jar command mentioned below to do it.

jar cf hunaid.jar .

After the keystore is been generate we can sign the jar. Use the jarsigner command mentioned below to sign the jar.

jarsigner -storetype jceks -signedjar SignedApp.jar -keystore C:\Java_Security\To_Be_Shared\JavaSecurity\JavaSecurity\bi\clientkeystore.jck -storepass password hunaid.jar client

This above command will generate a file called SignedApp.jar which contains the same contains of the actual jar with two extra files in MANIFEST directory.

Jar verification is actually done by the browser. But one can manually also do the same. Below commands verifies the signed jar.

jarsigner -verify SignedApp.jar

The above commands verifies the signature of the JAR. This means that the jar was signed by the same a private key whose public key is present in the signed jar. The command gives below output

jar verified.

This jar contains entries whose certificate chain is not valid

Re-run with the -verbose and -certs options for more details.

The verification was successful but is also gave a warning. The warning says that the certificate in the jar is not valid. The reason for this is that the keystore was a self signed keystore hence the certificate/public key generate was signed by the same private key and not by a trusted source CA.

To understand more about certificate chain refer blog Java keytool explored.

No comments:

Post a Comment

Share the post