1jarsigner(1)                    Security Tools                    jarsigner(1)
2
3
4

NAME

6       jarsigner - Signs and verifies Java Archive (JAR) files.
7

SYNOPSIS

9       jarsigner [ options ] jar-file alias
10
11       jarsigner -verify [ options ] jar-file [alias ...]
12
13
14       options
15              The command-line options. See Options.
16
17       -verify
18              The -verify option can take zero or more keystore alias names
19              after the JAR file name. When the -verify option is specified,
20              the jarsigner command checks that the certificate used to verify
21              each signed entry in the JAR file matches one of the keystore
22              aliases. The aliases are defined in the keystore specified by
23              -keystore or the default keystore.
24
25              If you also specified the -strict option, and the jarsigner
26              command detected severe warnings, the message, "jar verified,
27              with signer errors" is displayed.
28
29       jar-file
30              The JAR file to be signed.
31
32              If you also specified the -strict option, and the jarsigner
33              command detected severe warnings, the message, "jar signed, with
34              signer errors" is displayed.
35
36       alias  The aliases are defined in the keystore specified by -keystore
37              or the default keystore.
38

DESCRIPTION

40       The jarsigner tool has two purposes:
41
42       · To sign Java Archive (JAR) files.
43
44       · To verify the signatures and integrity of signed JAR files.
45
46       The JAR feature enables the packaging of class files, images, sounds,
47       and other digital data in a single file for faster and easier
48       distribution. A tool named jar enables developers to produce JAR files.
49       (Technically, any zip file can also be considered a JAR file, although
50       when created by the jar command or processed by the jarsigner command,
51       JAR files also contain a META-INF/MANIFEST.MF file.)
52
53       A digital signature is a string of bits that is computed from some data
54       (the data being signed) and the private key of an entity (a person,
55       company, and so on). Similar to a handwritten signature, a digital
56       signature has many useful characteristics:
57
58       · Its authenticity can be verified by a computation that uses the
59         public key corresponding to the private key used to generate the
60         signature.
61
62       · It cannot be forged, assuming the private key is kept secret.
63
64       · It is a function of the data signed and thus cannot be claimed to be
65         the signature for other data as well.
66
67       · The signed data cannot be changed. If the data is changed, then the
68         signature cannot be verified as authentic.
69
70       To generate an entity's signature for a file, the entity must first
71       have a public/private key pair associated with it and one or more
72       certificates that authenticate its public key. A certificate is a
73       digitally signed statement from one entity that says that the public
74       key of another entity has a particular value.
75
76       The jarsigner command uses key and certificate information from a
77       keystore to generate digital signatures for JAR files. A keystore is a
78       database of private keys and their associated X.509 certificate chains
79       that authenticate the corresponding public keys. The keytool command is
80       used to create and administer keystores.
81
82       The jarsigner command uses an entity's private key to generate a
83       signature. The signed JAR file contains, among other things, a copy of
84       the certificate from the keystore for the public key corresponding to
85       the private key used to sign the file. The jarsigner command can verify
86       the digital signature of the signed JAR file using the certificate
87       inside it (in its signature block file).
88
89       The jarsigner command can generate signatures that include a time stamp
90       that lets a systems or deployer (including Java Plug-in) to check
91       whether the JAR file was signed while the signing certificate was still
92       valid. In addition, APIs allow applications to obtain the timestamp
93       information.
94
95       At this time, the jarsigner command can only sign JAR files created by
96       the jar command or zip files. JAR files are the same as zip files,
97       except they also have a META-INF/MANIFEST.MF file. A META-
98       INF/MANIFEST.MF file is created when the jarsigner command signs a zip
99       file.
100
101       The default jarsigner command behavior is to sign a JAR or zip file.
102       Use the -verify option to verify a signed JAR file.
103
104       The jarsigner command also attempts to validate the signer's
105       certificate after signing or verifying. If there is a validation error
106       or any other problem, the command generates warning messages. If you
107       specify the -strict option, then the command treats severe warnings as
108       errors. See Errors and Warnings.
109
110   KEYSTORE ALIASES
111       All keystore entities are accessed with unique aliases.
112
113       When you use the jarsigner command to sign a JAR file, you must specify
114       the alias for the keystore entry that contains the private key needed
115       to generate the signature. For example, the following command signs the
116       JAR file named MyJARFile.jar with the private key associated with the
117       alias duke in the keystore named mystore in the working directory.
118       Because no output file is specified, it overwrites MyJARFile.jar with
119       the signed JAR file.
120
121       jarsigner -keystore /working/mystore -storepass <keystore password>
122             -keypass <private key password> MyJARFile.jar duke
123
124       Keystores are protected with a password, so the store password must be
125       specified. You are prompted for it when you do not specify it on the
126       command line. Similarly, private keys are protected in a keystore with
127       a password, so the private key's password must be specified, and you
128       are prompted for the password when you do not specify it on the command
129       line and it is not the same as the store password.
130
131   KEYSTORE LOCATION
132       The jarsigner command has a -keystore option for specifying the URL of
133       the keystore to be used. The keystore is by default stored in a file
134       named .keystore in the user's home directory, as determined by the
135       user.home system property.
136
137       On Oracle Solaris systems, user.home defaults to the user's home
138       directory.
139
140       The input stream from the -keystore option is passed to the
141       KeyStore.load method. If NONE is specified as the URL, then a null
142       stream is passed to the KeyStore.load method. NONE should be specified
143       when the KeyStore class is not file based, for example, when it resides
144       on a hardware token device.
145
146   KEYSTORE IMPLEMENTATION
147       The KeyStore class provided in the java.security package supplies a
148       number of well-defined interfaces to access and modify the information
149       in a keystore. You can have multiple different concrete
150       implementations, where each implementation is for a particular type of
151       keystore.
152
153       Currently, there are two command-line tools that use keystore
154       implementations (keytool and jarsigner), and a GUI-based tool named
155       Policy Tool. Because the KeyStore class is publicly available, JDK
156       users can write additional security applications that use it.
157
158       There is a built-in default implementation provided by Oracle that
159       implements the keystore as a file, that uses a proprietary keystore
160       type (format) named JKS. The built-in implementation protects each
161       private key with its individual password and protects the integrity of
162       the entire keystore with a (possibly different) password.
163
164       Keystore implementations are provider-based, which means the
165       application interfaces supplied by the KeyStore class are implemented
166       in terms of a Service Provider Interface (SPI). There is a
167       corresponding abstract KeystoreSpi class, also in the java.security
168       package, that defines the Service Provider Interface methods that
169       providers must implement. The term provider refers to a package or a
170       set of packages that supply a concrete implementation of a subset of
171       services that can be accessed by the Java Security API. To provide a
172       keystore implementation, clients must implement a provider and supply a
173       KeystoreSpi subclass implementation, as described in How to Implement a
174       Provider in the Java Cryptography Architecture at
175       http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html
176
177       Applications can choose different types of keystore implementations
178       from different providers, with the getInstance factory method in the
179       KeyStore class. A keystore type defines the storage and data format of
180       the keystore information and the algorithms used to protect private
181       keys in the keystore and the integrity of the keystore itself. Keystore
182       implementations of different types are not compatible.
183
184       The jarsigner command can read file-based keystores from any location
185       that can be specified using a URL. In addition, the command can read
186       non-file-based keystores such as those provided by MSCAPI on Windows
187       and PKCS11 on all platforms.
188
189       For the jarsigner and keytool commands, you can specify a keystore type
190       at the command line with the -storetype option. For Policy Tool, you
191       can specify a keystore type with the Edit command in the KeyStore menu.
192
193       If you do not explicitly specify a keystore type, then the tools choose
194       a keystore implementation based on the value of the keystore.type
195       property specified in the security properties file. The security
196       properties file is called java.security, and it resides in the JDK
197       security properties directory, java.home/lib/security, where java.home
198       is the runtime environment's directory. The jre directory in the JDK or
199       the top-level directory of the Java Runtime Environment (JRE).
200
201       Each tool gets the keystore.type value and then examines all the
202       installed providers until it finds one that implements keystores of
203       that type. It then uses the keystore implementation from that provider.
204
205       The KeyStore class defines a static method named getDefaultType that
206       lets applications and applets retrieve the value of the keystore.type
207       property. The following line of code creates an instance of the default
208       keystore type as specified in the keystore.type property:
209
210       KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
211
212       The default keystore type is jks (the proprietary type of the keystore
213       implementation provided by Oracle). This is specified by the following
214       line in the security properties file:
215
216       keystore.type=jks
217
218       Case does not matter in keystore type designations. For example, JKS is
219       the same as jks.
220
221       To have the tools use a keystore implementation other than the default,
222       change that line to specify a different keystore type. For example, if
223       you have a provider package that supplies a keystore implementation for
224       a keystore type called pkcs12, then change the line to the following:
225
226       keystore.type=pkcs12
227
228       Note: If you use the PKCS 11 provider package, then see "KeyTool" and
229       "JarSigner" in Java PKCS #11 Reference Guide at
230       http://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html
231
232   SUPPORTED ALGORITHMS
233       By default, the jarsigner command signs a JAR file using one of the
234       following algorithms:
235
236       · Digital Signature Algorithm (DSA) with the SHA1 digest algorithm
237
238       · RSA algorithm with the SHA256 digest algorithm
239
240       · Elliptic Curve (EC) cryptography algorithm with the SHA256 with
241         Elliptic Curve Digital Signature Algorithm (ECDSA).
242
243       If the signer's public and private keys are DSA keys, then jarsigner
244       signs the JAR file with the SHA1withDSA algorithm. If the signer's keys
245       are RSA keys, then jarsigner attempts to sign the JAR file with the
246       SHA256withRSA algorithm. If the signer's keys are EC keys, then
247       jarsigner signs the JAR file with the SHA256withECDSA algorithm.
248
249       These default signature algorithms can be overridden using the -sigalg
250       option.
251
252   THE SIGNED JAR FILE
253       When the jarsigner command is used to sign a JAR file, the output
254       signed JAR file is exactly the same as the input JAR file, except that
255       it has two additional files placed in the META-INF directory:
256
257       · A signature file with an .SF extension
258
259       · A signature block file with a .DSA, .RSA, or .EC extension
260
261       The base file names for these two files come from the value of the
262       -sigFile option. For example, when the option is -sigFile MKSIGN, the
263       files are named MKSIGN.SF and MKSIGN.DSA
264
265       If no -sigfile option appears on the command line, then the base file
266       name for the .SF and .DSA files is the first 8 characters of the alias
267       name specified on the command line, all converted to uppercase. If the
268       alias name has fewer than 8 characters, then the full alias name is
269       used. If the alias name contains any characters that are not allowed in
270       a signature file name, then each such character is converted to an
271       underscore (_) character in forming the file name. Valid characters
272       include letters, digits, underscores, and hyphens.
273
274       Signature File
275
276       A signature file (.SF file) looks similar to the manifest file that is
277       always included in a JAR file when the jarsigner command is used to
278       sign the file. For each source file included in the JAR file, the .SF
279       file has three lines, such as in the manifest file, that list the
280       following:
281
282       · File name
283
284       · Name of the digest algorithm (SHA)
285
286       · SHA digest value
287
288       In the manifest file, the SHA digest value for each source file is the
289       digest (hash) of the binary data in the source file. In the .SF file,
290       the digest value for a specified source file is the hash of the three
291       lines in the manifest file for the source file.
292
293       The signature file, by default, includes a header with a hash of the
294       whole manifest file. The header also contains a hash of the manifest
295       header. The presence of the header enables verification optimization.
296       See JAR File Verification.
297
298       Signature Block File
299
300       The .SF file is signed and the signature is placed in the signature
301       block file. This file also contains, encoded inside it, the certificate
302       or certificate chain from the keystore that authenticates the public
303       key corresponding to the private key used for signing. The file has the
304       extension .DSA, .RSA, or .EC, depending on the digest algorithm used.
305
306   SIGNATURE TIME STAMP
307       The jarsigner command can generate and store a signature time stamp
308       when signing a JAR file. In addition, jarsigner supports alternative
309       signing mechanisms. This behavior is optional and is controlled by the
310       user at the time of signing through these options. See Options.
311
312       -tsa url
313       -tsacert alias
314       -altsigner class
315       -altsignerpath classpathlist
316       -tsapolicyid policyid
317
318
319   JAR FILE VERIFICATION
320       A successful JAR file verification occurs when the signatures are
321       valid, and none of the files that were in the JAR file when the
322       signatures were generated have changed since then. JAR file
323       verification involves the following steps:
324
325       1.  Verify the signature of the .SF file.
326
327           The verification ensures that the signature stored in each
328           signature block (.DSA) file was generated using the private key
329           corresponding to the public key whose certificate (or certificate
330           chain) also appears in the .DSA file. It also ensures that the
331           signature is a valid signature of the corresponding signature (.SF)
332           file, and thus the .SF file was not tampered with.
333
334       2.  Verify the digest listed in each entry in the .SF file with each
335           corresponding section in the manifest.
336
337           The .SF file by default includes a header that contains a hash of
338           the entire manifest file. When the header is present, the
339           verification can check to see whether or not the hash in the header
340           matches the hash of the manifest file. If there is a match, then
341           verification proceeds to the next step.
342
343           If there is no match, then a less optimized verification is
344           required to ensure that the hash in each source file information
345           section in the .SF file equals the hash of its corresponding
346           section in the manifest file. See Signature File.
347
348           One reason the hash of the manifest file that is stored in the .SF
349           file header might not equal the hash of the current manifest file
350           is that one or more files were added to the JAR file (with the jar
351           tool) after the signature and .SF file were generated. When the jar
352           tool is used to add files, the manifest file is changed by adding
353           sections to it for the new files, but the .SF file is not changed.
354           A verification is still considered successful when none of the
355           files that were in the JAR file when the signature was generated
356           have been changed since then. This happens when the hashes in the
357           non-header sections of the .SF file equal the hashes of the
358           corresponding sections in the manifest file.
359
360       3.  Read each file in the JAR file that has an entry in the .SF file.
361           While reading, compute the file's digest and compare the result
362           with the digest for this file in the manifest section. The digests
363           should be the same or verification fails.
364
365           If any serious verification failures occur during the verification
366           process, then the process is stopped and a security exception is
367           thrown. The jarsigner command catches and displays the exception.
368
369       Note: You should read any addition warnings (or errors if you specified
370       the -strict option), as well as the content of the certificate (by
371       specifying the -verbose and -certs options) to determine if the
372       signature can be trusted.
373
374   MULTIPLE SIGNATURES FOR A JAR FILE
375       A JAR file can be signed by multiple people by running the jarsigner
376       command on the file multiple times and specifying the alias for a
377       different person each time, as follows:
378
379       jarsigner myBundle.jar susan
380       jarsigner myBundle.jar kevin
381
382       When a JAR file is signed multiple times, there are multiple .SF and
383       .DSA files in the resulting JAR file, one pair for each signature. In
384       the previous example, the output JAR file includes files with the
385       following names:
386
387       SUSAN.SF
388       SUSAN.DSA
389       KEVIN.SF
390       KEVIN.DSA
391
392

OPTIONS

394       The following sections describe the various jarsigner options. Be aware
395       of the following standards:
396
397       · All option names are preceded by a minus sign (-).
398
399       · The options can be provided in any order.
400
401       · Items that are in italics or underlined (option values) represent the
402         actual values that must be supplied.
403
404       · The -storepass, -keypass, -sigfile, -sigalg, -digestalg, -signedjar,
405         and TSA-related options are only relevant when signing a JAR file;
406         they are not relevant when verifying a signed JAR file. The -keystore
407         option is relevant for signing and verifying a JAR file. In addition,
408         aliases are specified when signing and verifying a JAR file.
409
410       -keystore url
411         Specifies the URL that tells the keystore location. This defaults to
412         the file .keystore in the user's home directory, as determined by the
413         user.home system property.
414
415         A keystore is required when signing. You must explicitly specify a
416         keystore when the default keystore does not exist or if you want to
417         use one other than the default.
418
419         A keystore is not required when verifying, but if one is specified or
420         the default exists and the -verbose option was also specified, then
421         additional information is output regarding whether or not any of the
422         certificates used to verify the JAR file are contained in that
423         keystore.
424
425         The -keystore argument can be a file name and path specification
426         rather than a URL, in which case it is treated the same as a file:
427         URL, for example, the following are equivalent:
428
429         -keystore filePathAndName
430         -keystore file:filePathAndName
431
432
433
434         If the Sun PKCS #11 provider was configured in the java.security
435         security properties file (located in the JRE's
436         $JAVA_HOME/lib/security directory), then the keytool and jarsigner
437         tools can operate on the PKCS #11 token by specifying these options:
438
439         -keystore NONE
440         -storetype PKCS11
441
442
443
444         For example, the following command lists the contents of the
445         configured PKCS#11 token:
446
447         keytool -keystore NONE -storetype PKCS11 -list
448
449
450
451       -storetype storetype
452         Specifies the type of keystore to be instantiated. The default
453         keystore type is the one that is specified as the value of the
454         keystore.type property in the security properties file, which is
455         returned by the static getDefaultType method in
456         java.security.KeyStore.
457
458         The PIN for a PCKS #11 token can also be specified with the
459         -storepass option. If none is specified, then the keytool and
460         jarsigner commands prompt for the token PIN. If the token has a
461         protected authentication path (such as a dedicated PIN-pad or a
462         biometric reader), then the -protected option must be specified and
463         no password options can be specified.
464
465       -storepass[:env | :file] argument
466         Specifies the password that is required to access the keystore. This
467         is only needed when signing (not verifying) a JAR file. In that case,
468         if a -storepass option is not provided at the command line, then the
469         user is prompted for the password.
470
471         If the modifier env or file is not specified, then the password has
472         the value argument. Otherwise, the password is retrieved as follows:
473
474         · env: Retrieve the password from the environment variable named
475           argument.
476
477         · file: Retrieve the password from the file named argument.
478
479
480       Note: The password should not be specified on the command line or in a
481       script unless it is for testing purposes, or you are on a secure
482       system.
483
484       -keypass [:env | :file] argument
485         Specifies the password used to protect the private key of the
486         keystore entry addressed by the alias specified on the command line.
487         The password is required when using jarsigner to sign a JAR file. If
488         no password is provided on the command line, and the required
489         password is different from the store password, then the user is
490         prompted for it.
491
492         If the modifier env or file is not specified, then the password has
493         the value argument. Otherwise, the password is retrieved as follows:
494
495         · env: Retrieve the password from the environment variable named
496           argument.
497
498         · file: Retrieve the password from the file named argument.
499
500
501       Note: The password should not be specified on the command line or in a
502       script unless it is for testing purposes, or you are on a secure
503       system.
504
505       -sigfile file
506         Specifies the base file name to be used for the generated .SF and
507         .DSA files. For example, if file is DUKESIGN, then the generated .SF
508         and .DSA files are named DUKESIGN.SF and DUKESIGN.DSA, and placed in
509         the META-INF directory of the signed JAR file.
510
511         The characters in the file must come from the set a-zA-Z0-9_-. Only
512         letters, numbers, underscore, and hyphen characters are allowed. All
513         lowercase characters are converted to uppercase for the .SF and .DSA
514         file names.
515
516         If no -sigfile option appears on the command line, then the base file
517         name for the .SF and .DSA files is the first 8 characters of the
518         alias name specified on the command line, all converted to upper
519         case. If the alias name has fewer than 8 characters, then the full
520         alias name is used. If the alias name contains any characters that
521         are not valid in a signature file name, then each such character is
522         converted to an underscore (_) character to form the file name.
523
524       -sigalg algorithm
525         Specifies the name of the signature algorithm to use to sign the JAR
526         file.
527
528         For a list of standard signature algorithm names, see "Appendix A:
529         Standard Names" in the Java Cryptography Architecture (JCA) Reference
530         Guide at
531         http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA
532
533         This algorithm must be compatible with the private key used to sign
534         the JAR file. If this option is not specified, then SHA1withDSA,
535         SHA256withRSA, or SHA256withECDSA are used depending on the type of
536         private key. There must either be a statically installed provider
537         supplying an implementation of the specified algorithm or the user
538         must specify one with the -providerClass option; otherwise, the
539         command will not succeed.
540
541       -digestalg algorithm
542         Specifies the name of the message digest algorithm to use when
543         digesting the entries of a JAR file.
544
545         For a list of standard message digest algorithm names, see "Appendix
546         A: Standard Names" in the Java Cryptography Architecture (JCA)
547         Reference Guide at
548         http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA
549
550         If this option is not specified, then SHA256 is used. There must
551         either be a statically installed provider supplying an implementation
552         of the specified algorithm or the user must specify one with the
553         -providerClass option; otherwise, the command will not succeed.
554
555       -certs
556         If the -certs option appears on the command line with the -verify and
557         -verbose options, then the output includes certificate information
558         for each signer of the JAR file. This information includes the name
559         of the type of certificate (stored in the .DSA file) that certifies
560         the signer's public key, and if the certificate is an X.509
561         certificate (an instance of the java.security.cert.X509Certificate),
562         then the distinguished name of the signer.
563
564         The keystore is also examined. If no keystore value is specified on
565         the command line, then the default keystore file (if any) is checked.
566         If the public key certificate for a signer matches an entry in the
567         keystore, then the alias name for the keystore entry for that signer
568         is displayed in parentheses.
569
570       -certchain file
571         Specifies the certificate chain to be used when the certificate chain
572         associated with the private key of the keystore entry that is
573         addressed by the alias specified on the command line is not complete.
574         This can happen when the keystore is located on a hardware token
575         where there is not enough capacity to hold a complete certificate
576         chain. The file can be a sequence of concatenated X.509 certificates,
577         or a single PKCS#7 formatted data block, either in binary encoding
578         format or in printable encoding format (also known as Base64
579         encoding) as defined by the Internet RFC 1421 standard. See Internet
580         RFC 1421 Certificate Encoding Standard and
581         http://tools.ietf.org/html/rfc1421.
582
583       -verbose
584         When the -verbose option appears on the command line, it indicates
585         verbose mode, which causes jarsigner to output extra information
586         about the progress of the JAR signing or verification.
587
588       -internalsf
589         In the past, the .DSA (signature block) file generated when a JAR
590         file was signed included a complete encoded copy of the .SF file
591         (signature file) also generated. This behavior has been changed. To
592         reduce the overall size of the output JAR file, the .DSA file by
593         default does not contain a copy of the .SF file anymore. If
594         -internalsf appears on the command line, then the old behavior is
595         utilized. This option is useful for testing. In practice, do not use
596         the -internalsf option because it incurs higher overhead.
597
598       -sectionsonly
599         If the -sectionsonly option appears on the command line, then the .SF
600         file (signature file) generated when a JAR file is signed does not
601         include a header that contains a hash of the whole manifest file. It
602         contains only the information and hashes related to each individual
603         source file included in the JAR file. See Signature File.
604
605         By default, this header is added, as an optimization. When the header
606         is present, whenever the JAR file is verified, the verification can
607         first check to see whether the hash in the header matches the hash of
608         the whole manifest file. When there is a match, verification proceeds
609         to the next step. When there is no match, it is necessary to do a
610         less optimized verification that the hash in each source file
611         information section in the .SF file equals the hash of its
612         corresponding section in the manifest file. See JAR File
613         Verification.
614
615         The -sectionsonly option is primarily used for testing. It should not
616         be used other than for testing because using it incurs higher
617         overhead.
618
619       -protected
620         Values can be either true or false. Specify true when a password must
621         be specified through a protected authentication path such as a
622         dedicated PIN reader.
623
624       -providerClass provider-class-name
625         Used to specify the name of cryptographic service provider's master
626         class file when the service provider is not listed in the
627         java.security security properties file.
628
629         Used with the -providerArg ConfigFilePath option, the keytool and
630         jarsigner tools install the provider dynamically and use
631         ConfigFilePath for the path to the token configuration file. The
632         following example shows a command to list a PKCS #11 keystore when
633         the Oracle PKCS #11 provider was not configured in the security
634         properties file.
635
636         jarsigner -keystore NONE -storetype PKCS11 \
637                   -providerClass sun.security.pkcs11.SunPKCS11 \
638                   -providerArg /mydir1/mydir2/token.config \
639                   -list
640
641
642
643       -providerName providerName
644         If more than one provider was configured in the java.security
645         security properties file, then you can use the -providerName option
646         to target a specific provider instance. The argument to this option
647         is the name of the provider.
648
649         For the Oracle PKCS #11 provider, providerName is of the form
650         SunPKCS11-TokenName, where TokenName is the name suffix that the
651         provider instance has been configured with, as detailed in the
652         configuration attributes table. For example, the following command
653         lists the contents of the PKCS #11 keystore provider instance with
654         name suffix SmartCard:
655
656         jarsigner -keystore NONE -storetype PKCS11 \
657                 -providerName SunPKCS11-SmartCard \
658                 -list
659
660
661
662       -Jjavaoption
663         Passes through the specified javaoption string directly to the Java
664         interpreter. The jarsigner command is a wrapper around the
665         interpreter. This option should not contain any spaces. It is useful
666         for adjusting the execution environment or memory usage. For a list
667         of possible interpreter options, type java -h or java -X at the
668         command line.
669
670       -tsa url
671         If -tsa http://example.tsa.url appears on the command line when
672         signing a JAR file then a time stamp is generated for the signature.
673         The URL, http://example.tsa.url, identifies the location of the Time
674         Stamping Authority (TSA) and overrides any URL found with the
675         -tsacert option. The -tsa option does not require the TSA public key
676         certificate to be present in the keystore.
677
678         To generate the time stamp, jarsigner communicates with the TSA with
679         the Time-Stamp Protocol (TSP) defined in RFC 3161. When successful,
680         the time stamp token returned by the TSA is stored with the signature
681         in the signature block file.
682
683       -tsacert alias
684         When -tsacert alias appears on the command line when signing a JAR
685         file, a time stamp is generated for the signature. The alias
686         identifies the TSA public key certificate in the keystore that is in
687         effect. The entry's certificate is examined for a Subject Information
688         Access extension that contains a URL identifying the location of the
689         TSA.
690
691         The TSA public key certificate must be present in the keystore when
692         using the -tsacert option.
693
694       -tsapolicyid policyid
695         Specifies the object identifier (OID) that identifies the policy ID
696         to be sent to the TSA server. If this option is not specified, no
697         policy ID is sent and the TSA server will choose a default policy ID.
698
699         Object identifiers are defined by X.696, which is an ITU
700         Telecommunication Standardization Sector (ITU-T) standard. These
701         identifiers are typically period-separated sets of non-negative
702         digits like 1.2.3.4, for example.
703
704       -altsigner class
705         This option specifies an alternative signing mechanism. The fully
706         qualified class name identifies a class file that extends the
707         com.sun.jarsigner.ContentSigner abstract class. The path to this
708         class file is defined by the -altsignerpath option. If the -altsigner
709         option is used, then the jarsigner command uses the signing mechanism
710         provided by the specified class. Otherwise, the jarsigner command
711         uses its default signing mechanism.
712
713         For example, to use the signing mechanism provided by a class named
714         com.sun.sun.jarsigner.AuthSigner, use the jarsigner option -altsigner
715         com.sun.jarsigner.AuthSigner.
716
717       -altsignerpath classpathlist
718         Specifies the path to the class file and any JAR file it depends on.
719         The class file name is specified with the -altsigner option. If the
720         class file is in a JAR file, then this option specifies the path to
721         that JAR file.
722
723         An absolute path or a path relative to the current directory can be
724         specified. If classpathlist contains multiple paths or JAR files,
725         then they should be separated with a colon (:) on Oracle Solaris and
726         a semicolon (;) on Windows. This option is not necessary when the
727         class is already in the search path.
728
729         The following example shows how to specify the path to a JAR file
730         that contains the class file. The JAR file name is included.
731
732         -altsignerpath /home/user/lib/authsigner.jar
733
734
735
736         The following example shows how to specify the path to the JAR file
737         that contains the class file. The JAR file name is omitted.
738
739         -altsignerpath /home/user/classes/com/sun/tools/jarsigner/
740
741
742
743       -strict
744         During the signing or verifying process, the command may issue
745         warning messages. If you specify this option, the exit code of the
746         tool reflects the severe warning messages that this command found.
747         See Errors and Warnings.
748
749       -verbose suboptions
750         For the verifying process, the -verbose option takes suboptions to
751         determine how much information is shown. If the -certs option is also
752         specified, then the default mode (or suboption all) displays each
753         entry as it is being processed, and after that, the certificate
754         information for each signer of the JAR file. If the -certs and the
755         -verbose:grouped suboptions are specified, then entries with the same
756         signer info are grouped and displayed together with their certificate
757         information. If -certs and the -verbose:summary suboptions are
758         specified, then entries with the same signer information are grouped
759         and displayed together with their certificate information. Details
760         about each entry are summarized and displayed as one entry (and
761         more). See Examples.
762

ERRORS AND WARNINGS

764       During the signing or verifying process, the jarsigner command may
765       issue various errors or warnings.
766
767       If there is a failure, the jarsigner command exits with code 1. If
768       there is no failure, but there are one or more severe warnings, the
769       jarsigner command exits with code 0 when the -strict option is not
770       specified, or exits with the OR-value of the warning codes when the
771       -strict is specified. If there is only informational warnings or no
772       warning at all, the command always exits with code 0.
773
774       For example, if a certificate used to sign an entry is expired and has
775       a KeyUsage extension that does not allow it to sign a file, the
776       jarsigner command exits with code 12 (=4+8) when the -strict option is
777       specified.
778
779       Note: Exit codes are reused because only the values from 0 to 255 are
780       legal on Unix-based operating systems.
781
782       The following sections describes the names, codes, and descriptions of
783       the errors and warnings that the jarsigner command can issue.
784
785   FAILURE
786       Reasons why the jarsigner command fails include (but are not limited
787       to) a command line parsing error, the inability to find a keypair to
788       sign the JAR file, or the verification of a signed JAR fails.
789
790       failure
791              Code 1. The signing or verifying fails.
792
793   SEVERE WARNINGS
794       Note: Severe warnings are reported as errors if you specify the -strict
795       option.
796
797       Reasons why the jarsigner command issues a severe warning include the
798       certificate used to sign the JAR file has an error or the signed JAR
799       file has other problems.
800
801       hasExpiredCert
802              Code 4. This jar contains entries whose signer certificate has
803              expired.
804
805       notYetValidCert
806              Code 4. This jar contains entries whose signer certificate is
807              not yet valid.
808
809       chainNotValidated
810              Code 4. This jar contains entries whose certificate chain cannot
811              be correctly validated.
812
813       badKeyUsage
814              Code 8. This jar contains entries whose signer certificate's
815              KeyUsage extension doesn't allow code signing.
816
817       badExtendedKeyUsage
818              Code 8. This jar contains entries whose signer certificate's
819              ExtendedKeyUsage extension doesn't allow code signing.
820
821       badNetscapeCertType
822              Code 8. This jar contains entries whose signer certificate's
823              NetscapeCertType extension doesn't allow code signing.
824
825       hasUnsignedEntry
826              Code 16. This jar contains unsigned entries which have not been
827              integrity-checked.
828
829       notSignedByAlias
830              Code 32. This jar contains signed entries which are not signed
831              by the specified alias(es).
832
833       aliasNotInStore
834              Code 32. This jar contains signed entries that are not signed by
835              alias in this keystore.
836
837   INFORMATIONAL WARNINGS
838       Informational warnings include those that are not errors but regarded
839       as bad practice. They do not have a code.
840
841       hasExpiringCert
842              This jar contains entries whose signer certificate will expire
843              within six months.
844
845       noTimestamp
846              This jar contains signatures that does not include a timestamp.
847              Without a timestamp, users may not be able to validate this JAR
848              file after the signer certificate's expiration date (YYYY-MM-DD)
849              or after any future revocation date.
850

EXAMPLES

852   SIGN A JAR FILE
853       Use the following command to sign bundle.jar with the private key of a
854       user whose keystore alias is jane in a keystore named mystore in the
855       working directory and name the signed JAR file sbundle.jar:
856
857       jarsigner -keystore /working/mystore
858           -storepass <keystore password>
859           -keypass <private key password>
860           -signedjar sbundle.jar bundle.jar jane
861
862       There is no -sigfile specified in the previous command so the generated
863       .SF and .DSA files to be placed in the signed JAR file have default
864       names based on the alias name. They are named JANE.SF and JANE.DSA.
865
866       If you want to be prompted for the store password and the private key
867       password, then you could shorten the previous command to the following:
868
869       jarsigner -keystore /working/mystore
870           -signedjar sbundle.jar bundle.jar jane
871
872       If the keystore is the default keystore (.keystore in your home
873       directory), then you do not need to specify a keystore, as follows:
874
875       jarsigner -signedjar sbundle.jar bundle.jar jane
876
877       If you want the signed JAR file to overwrite the input JAR file
878       (bundle.jar), then you do not need to specify a -signedjar option, as
879       follows:
880
881       jarsigner bundle.jar jane
882
883
884   VERIFY A SIGNED JAR FILE
885       To verify a signed JAR file to ensure that the signature is valid and
886       the JAR file was not been tampered with, use a command such as the
887       following:
888
889       jarsigner -verify sbundle.jar
890
891       When the verification is successful, jar verified is displayed.
892       Otherwise, an error message is displayed. You can get more information
893       when you use the -verbose option. A sample use of jarsigner with the-
894       verbose option follows:
895
896       jarsigner -verify -verbose sbundle.jar
897                  198 Fri Sep 26 16:14:06 PDT 1997 META-INF/MANIFEST.MF
898                  199 Fri Sep 26 16:22:10 PDT 1997 META-INF/JANE.SF
899                 1013 Fri Sep 26 16:22:10 PDT 1997 META-INF/JANE.DSA
900           smk   2752 Fri Sep 26 16:12:30 PDT 1997 AclEx.class
901           smk    849 Fri Sep 26 16:12:46 PDT 1997 test.class
902             s = signature was verified
903             m = entry is listed in manifest
904             k = at least one certificate was found in keystore
905           jar verified.
906
907
908   VERIFICATION WITH CERTIFICATE INFORMATION
909       If you specify the -certs option with the -verify and -verbose options,
910       then the output includes certificate information for each signer of the
911       JAR file. The information includes the certificate type, the signer
912       distinguished name information (when it is an X.509 certificate), and
913       in parentheses, the keystore alias for the signer when the public key
914       certificate in the JAR file matches the one in a keystore entry, for
915       example:
916
917       jarsigner -keystore /working/mystore -verify -verbose -certs myTest.jar
918                  198 Fri Sep 26 16:14:06 PDT 1997 META-INF/MANIFEST.MF
919                  199 Fri Sep 26 16:22:10 PDT 1997 META-INF/JANE.SF
920                 1013 Fri Sep 26 16:22:10 PDT 1997 META-INF/JANE.DSA
921                  208 Fri Sep 26 16:23:30 PDT 1997 META-INF/JAVATEST.SF
922                 1087 Fri Sep 26 16:23:30 PDT 1997 META-INF/JAVATEST.DSA
923           smk   2752 Fri Sep 26 16:12:30 PDT 1997 Tst.class
924             X.509, CN=Test Group, OU=Java Software, O=Oracle, L=CUP, S=CA, C=US (javatest)
925             X.509, CN=Jane Smith, OU=Java Software, O=Oracle, L=cup, S=ca, C=us (jane)
926             s = signature was verified
927             m = entry is listed in manifest
928             k = at least one certificate was found in keystore
929           jar verified.
930
931       If the certificate for a signer is not an X.509 certificate, then there
932       is no distinguished name information. In that case, just the
933       certificate type and the alias are shown. For example, if the
934       certificate is a PGP certificate, and the alias is bob, then you would
935       get: PGP, (bob).
936

SEE ALSO

938       · jar(1)
939
940       · keytool(1)
941
942       · Trail: Security Features in Java SE at
943         http://docs.oracle.com/javase/tutorial/security/index.html
944
945
946
947JDK 8                          21 November 2013                   jarsigner(1)
Impressum