A JAR file can be digitally signed to verify the identity of its creator. This is very similar to digital signing of web sites: consumers are trained not to enter sensitive information such as credit card numbers into a web form unless the “padlock” icon shows that it is digitally signed. Signing JAR files uses the security API in the core Java 2 platform. You can sign JAR files for use with Java applets (see Chapter 17) or JWS (Section 23.12). In either case, the jarsigner tool is used. This program is part of the Java 2 standard edition.
You can purchase a certificate from one of the commercial signing agencies when you are ready to go live. Meanwhile, for testing, you can " self-sign” a certificate. Here are the steps needed to sign a JAR file with a test certificate:
Create a new key in a new “keystore” as follows:
keytool -genkey -keystore myKeystore -alias myself
The alias “myself” is arbitrary; its intent is to remind you that it is a self-signed key so you don’t put it into production by accident.
The program will prompt you in the terminal window for information about the new key. It will ask for a password for protecting the keystore. Then it will ask for your name, department, organization, city, state, country, and so on. This information will go into the new keystore file on disk.
Create a self-signed test certificate:
keytool -selfcert -alias myself -keystore myKeystore
You will have to give the keystore password, and then
keytool
will generate the
certificate.
You may want to verify that the steps up to here worked correctly. You can list the contents of the keystore:
keytool -list -keystore myKeystore
The output should look something like the following:
Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry: myself, Mon Dec 18 11:05:27 EST 2000, keyEntry, Certificate fingerprint (MD5): 56:9E:31:81:42:07:BF:FF:42:01:CB:42:51:42:96:B6
You can now sign the JAR file with your test certificate:
jarsigner -keystore myKeystore test.jar myself
The jarsigner
tool will update the
META-INF directory of
your JAR file to contain certificate information and digital
signatures for each entry in the archive. This can take a while,
depending on the speed of your CPU, the number of entries in the
archive, and so on. The end result is a signed JAR file that will be
acceptable to applet-enabled browsers, Java Web Start, and any other
mechanisms that require
a signed JAR file.
18.218.45.80