To sign content, a private key and public key must be used. The private key is used for signing the content, and the public key is used for verifying that the content has not been modified. A key-pair can be created using the Java keytool
utility on the command line.
keytool
to see a list of options, and to verify that it is on the path.keytool -genkey -alias packtpub -keypass SayK3ys -keystore /path/to/keystore -storepass BarC0der -dname "cn=packtpub,ou=pub,o=packt"
keytool -list -keystore /path/to/keystore -storepass BarC0der
jar cf test.jar .
jarsigner -keypass SayK3ys -storepass BarC0der -keystore /path/to/keystore test.jar packtpub
jarsigner -verify test.jar
The Java keytool
program manages keys and certificates for the use of Java programs wanting to sign content. Each entry in the keystore has an
alias (to allow for ease of reference if there are many) and an associated key password and store password.
The keystore
is created at the location given, protected with a store password BarC0der
. To use any of the keys in the keystore, the store needs to be unlocked with this password first.
To use the private key, we need to give the key password, which is SayK3ys
. Typically the key passwords will be different from the store password; if multiple keys are present, it is good practice to have a different password for each one.
The distinguished name (dname
) is an LDAP identifier for the owner of the key. This is represented as a series of name=value
comma-separated pairs. At a minimum, they need a common name (cn
) and then some kind of organizational identifier. In this case, the organizational unit (ou
) is pub
and the organization (o
) is packt
.
Another common way of representing ownership is to use the domain components (dc
), so an alternative is to use something like cn=e4,dc=packtpub,dc=com
where each element in the packtpub.com
domain is split into its own dc
element in the distinguished name. Note that the order of elements is significant.
The jarsigner
tool is used to sign a JAR and needs access to the store, the store's password, and the key's password. The alias can be supplied, in which case it will use that one—but if it is left out, then it will use any matching key in the chain (which assumes that the passwords are unique for the keys, as is best practice).
Finally the jarsigner
can also be used to check whether a signature is correct or not using the -verify
argument.
3.133.159.224