To sign content, a private key and public key must be used. The private key is used for signing the content, and the public key is used for verifying that the content has not been modified. A key-pair can be created using the Java keytool utility on the command line.
- Run
keytoolto see a list of options, and to verify that it is on the path. - Create a new key-pair by running (all on one line):
keytool -genkey -alias packtpub -keypass SayK3ys -keystore /path/to/keystore -storepass BarC0der -dname "cn=packtpub,ou=pub,o=packt"
- Verify that the key was generated correctly:
keytool -list -keystore /path/to/keystore -storepass BarC0der
- Create a JAR file for testing purposes, for example by zipping the contents of the directory:
jar cf test.jar .
- Sign the JAR to verify that it works, by running (all on one line):
jarsigner -keypass SayK3ys -storepass BarC0der -keystore /path/to/keystore test.jar packtpub
- Verify the Jar signature by running:
jarsigner -verify test.jar
The Java keytool program manages keys and certificates for the use of Java programs wanting to sign content. Each entry in the keystore has an
alias (to allow for ease of reference if there are many) and an associated key password and store password.
The keystore
is created at the location given, protected with a store password BarC0der. To use any of the keys in the keystore, the store needs to be unlocked with this password first.
To use the private key, we need to give the key password, which is SayK3ys. Typically the key passwords will be different from the store password; if multiple keys are present, it is good practice to have a different password for each one.
The distinguished name (dname) is an LDAP identifier for the owner of the key. This is represented as a series of name=value comma-separated pairs. At a minimum, they need a common name (cn) and then some kind of organizational identifier. In this case, the organizational unit (ou) is pub and the organization (o) is packt.
Another common way of representing ownership is to use the domain components (dc), so an alternative is to use something like cn=e4,dc=packtpub,dc=com where each element in the packtpub.com domain is split into its own dc element in the distinguished name. Note that the order of elements is significant.
The jarsigner tool is used to sign a JAR and needs access to the store, the store's password, and the key's password. The alias can be supplied, in which case it will use that one—but if it is left out, then it will use any matching key in the chain (which assumes that the passwords are unique for the keys, as is best practice).
Finally the jarsigner can also be used to check whether a signature is correct or not using the -verify argument.