Synopsis

jarsigner [options] jarfile signer
jarsigner -verify jarfile

Description

jarsigner adds a digital signature to the specified jarfile, or, if the -verify option is specified, it verifies the digital signature or signatures already attached to the JAR file. The specified signer is a case-insensitive nickname or alias for the entity whose signature is to be used. The specified signer name is used to look up the private key that generates the signature.

When you apply your digital signature to a JAR file, you are implicitly vouching for the contents of the archive. You are offering your personal word that the JAR file contains only nonmalicious code, files that do not violate copyright laws, and so forth. When you verify a digitally signed JAR file, you can determine who the signer or signers of the file are and (if the verification succeeds) that the contents of the JAR file have not been changed, corrupted, or tampered with since the signature or signatures were applied. Verifying a digital signature is entirely different from deciding whether or not you trust the person or organization whose signature you verified.

jarsigner and the related keytool program replace the javakey program of Java 1.1.

Options

jarsigner defines a number of options, many of which specify how a private key is to be found for the specified signer. Most of these options are unnecessary when using the -verify option to verify a signed JAR file:

-certs

If this option is specified along with either the -verify or -verbose option, it causes jarsigner to display details of the public key certificates associated with the signed JAR file.

-J javaoption

Passes the specified javaoption directly to the Java interpreter.

-keypass password

Specifies the password that encrypts the private key of the specified signer. If this option is not specified, jarsigner prompts you for the password.

-keystore url

A keystore is a file that contains keys and certificates. This option specifies the filename or URL of the keystore in which the private and public key certificates of the specified signer are looked up. The default is the file named .keystore in the user's home directory (the value of the system property user.home). This is also the default location of the keystore managed by keytool.

-sigfile basename

Specifies the base names of the .SF and .DSA files added to the META-INF/ directory of the JAR file. If you leave this option unspecified, the base filename is chosen based on the signer name.

-signedjar outputfile

Specifies the name for the signed JAR file created by jarsigner. If this option is not specified, jarsigner overwrites the jarfile specified on the command line.

-storepass password

Specifies the password that verifies the integrity of the keystore (but does not encrypt the private key). If this option is omitted, jarsigner prompts you for the password.

-storetype type

Specifies the type of keystore specified by the -keystore option. The default is the system-default keystore type, which on most systems is the Java Keystore type, known as JKS. If you have the Java Cryptography Extension installed, you may want to use a JCEKS keystore instead.

-verbose

Displays extra information about the signing or verification process.

-verify

Specifies that jarsigner should verify the specified JAR file rather than sign it.

See also

jar, keytool, javakey