How to Sign a JAR File

Aurigma offers private-label versions as a part of our Premium license offering. When your customers install ActiveX/Java Uploader on their computers, they see a security warning displaying the name of the company that owns the software. By default, customers see Aurigma, Inc. If you want to replace Aurigma's name with your company name, you can order a private-label version. In this case Aurigma creates a special custom uploader for you. Your company, in its turn, should then purchase a code singing certificate from one of the certificate authorities (e.g. Thawte or VeriSign) and sign the binaries with it.

This topic explains the steps required for signing a private-label version. You can disregard this topic if you don't have a private-label version of ActiveX/Java Uploader on your website.

About JAR Files

To make Java Uploader automatically install in a browser, it should be packed as a JAR file. The JAR (Java application archive) file is a format developed by Sun for packaging Java applications. For more details about embedding Java Uploader on a Web page see Using Private-label Version of ActiveX/Java Uploader Using Private-label Version of ActiveX/Java Uploader ASP.NET Using Private-label Version of ActiveX/Java Uploader PHP Using Private-label Version of ActiveX/Java Uploader JavaScript .

Code Signing

It would be insecure to enable a browser to download from the Web and install arbitrary software, because malicious people could distribute harmful code. Therefore, to avoid security problems browsers usually require applets and other software to be digitally signed using a special code signing certificate which is granted to software vendors by such certificate authorities as VeriSign and Thawte. Certificates ensure that the software being installed was actually developed by the specified vendor.

Though browser settings can be adjusted so that unsigned software can be installed, the default settings and corporate company-wide security policies usually do not allow this.

Walkthrough: Signing a JAR File

To sign Java Uploader controls with a Microsoft Authenticode Certificate you will need:

  • Microsoft Authenticode certificate (SPC file)
  • Private key file (PVK file)
  • pvk2pfx tool, which is the part of Windows SDK
  • Java Development Kit (JDK), which you can download here

First, you will need to convert the certificate to the PKCS12 format (.pfx file). To convert the certificate, perform the following steps:

  1. Download the pvk2pfx converter as a part of Windows SDK
  2. Run Command Prompt; to perform this click Start, then click Run and type cmd in the opened dialog.
  3. Convert the certificate using the following command:
    "<Path to .pvk to .pfx converter>\pvk2pfx.exe" -pvk "<Path to certs>\MyKey.pvk" -spc 
        "<Path to certs>\MyCert.spc" -pfx "<Path to certs>\MyCert.pfx" -f
    where <Path to .pvk to .pfx converter> is a path to the pvk2pfx utility (typically, it is located in the /Bin subfolder of the Windows SDK installation folder), and <Path to certs> is a path to your SPC and PVK certificate files.

Now, when you have the converted certificate, sign the JAR file by performing the following steps:

  1. Run Command Prompt; to perform this click Start, then click Run and type cmd in the opened dialog.
  2. Change the working directory to the Bin directory of JDK, for example:
    cd "C:\Program Files\Java\jdk1.7.0_40\bin"
  3. Check whether keytool can read the keystore using the following command:
    keytool -list -v -storetype pkcs12 -keystore <PFX file>
    where <PFX file> is a name of your converted certificate.
  4. Sign the JAR file using the following command:
    jarsigner -storetype pkcs12 -keystore <PFX file> Uploader8.jar <alias>
    where <PFX file> is the name of your converted certificate, and <alias> is the alias listed in the output from the keytool -list -v command that was run in the previous step.
  5. Verify that the JAR file has been signed using the following command:
    jarsigner -verify -certs Uploader8.jar

See Also


MSDN Articles