Knowledge Base

 

The jarsigner utility, included with the Java Development Kit (JDK), is used to sign and verify .jar files. This guide provides a step-by-step walkthrough for signing .jar files on Windows using OV or EV Code Signing Certificates stored on a USB token.

Prerequisites

1. JDK Installation: Ensure JDK 17 or later is installed (JDK 21 is preferred). Download it from:
• OpenJDK
• JDK 21
2. USB Token: Your OV or EV Code Signing Certificate must be loaded onto the token.

 

Step 1: Creating a Configuration File

The configuration file specifies the keystore provider and the path to the required library.

1. Open Notepad and type the following lines:

name=eToken library=c:\WINDOWS\system32\eTPKCS11.dll

 

     2.  Save the file as eToken.cfg in the JDK bin directory (e.g., C:\Program Files\Java\jdk-21\bin). If saved elsewhere, ensure to reference the full path during execution

 

Step 2: Import Sectigo Root and Intermediate Certificates to Java cacerts

The Java keystore (cacerts) must trust the Sectigo certificates. Import these certificates to avoid validation issues.

Procedure:

1. Download Sectigo Root and Intermediate Certificates from:
• Sectigo Root Certificates
• Sectigo Intermediate Certificates

 

2. Rename the certificates for clarity (ensure .cer extension):
• Root: aaa_root.cer
• Intermediate: Sectigo_intermediate.cer
• Cross-sign: Sectigo_cross_sign.cer

 

3. Move the certificates to the JDK bin directory.
4. Open Command Prompt as Administrator and navigate to the JDK bin directory:

cd "C:\Program Files\Java\jdk-21\bin"

         

      5. Import the certificates using keytool commands:

 

• Root Certificate

keytool -import -trustcacerts -alias Root -file aaa_root.cer -keystore cacerts

 

 

 

 

 

• Cross-sign Certificate:

keytool -import -trustcacerts -alias Cross -file Sectigo_cross_sign.cer -keystore cacerts

• • Intermediate Certificate:

keytool -import -trustcacerts -alias OV -file Sectigo_intermediate.cer -keystore cacerts

 

 

 

     6. Note:

• Default cacerts password: changeit
• Administrator privileges are required.

 

Step 3: Import Certificates to the USB Token

Some tokens require the full certificate chain for validation during signing.

Procedure:

• Open the SafeNet Authentication Client App.
• Locate your company name.
• Click on your Company’s Name.
• Right click on User Certificates.
• Choose Import Certificate from menu.
• Browse to where you saved the certificates .cer format.
• Select and import each certificate to the token

 

 

 

 

 

 

 

 

 

 

 

 

  

 

Step 4: Verify Certificate and Alias on the Token

Retrieve the alias of the OV or EV Code Signing Certificate.

1. Open Command Prompt and navigate to the JDK bin directory.

C:\Program Files\Java\jdk-21\bin

 

2. Execute the following command:

keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken.cfg

3. Enter the token’s password when prompted.

Example Output:

Keystore type: PKCS11 Keystore provider: SunPKCS11-eToken Your keystore contains 1 entry Sectigo_20240422134545, PrivateKeyEntry, Certificate fingerprint (SHA-256): 93:11:8E:FF:60:47:45:92:D4:46:E9:73:DA:31:E6:F1:2C:96:FD:0D:94:12:42:9D:0D:F7:97:C2:77:3E:30:23

 

Note:     In this example, Sectigo_20240422134545 is the alias to be used in the signing process.

 

Step 5: Sign a .jar File Using the OV or EV Certificate Token

Plugin OV or EV Code Singing Certificate Token

 

Note:
You can place all the above certificates in the C:\Program Files\Java\jdk-21\bin folder. This allows you to avoid specifying the full path to the certificates in the commands below.

Command:

jarsigner -tsa http://timestamp.sectigo.com -verbose -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken.cfg "C:\path\to\file.jar" ALIAS_FROM_PREVIOUS_STEP

Example:

jarsigner -tsa http://timestamp.sectigo.com -verbose -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken.cfg ice-unsigned.jar Sectigo_20240422134545

 Output:

jar signed. The signer certificate will expire on 2025-04-22. The timestamp will expire on 2035-04-14.

 

 

Step 6: Verify the Signed .jar File

Command:

jarsigner -verify -verbose -certs "C:\path\to\signed.jar"

Example Output:

s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore   jar verified. The signer certificate will expire on 2025-04-22. The timestamp will expire on 2035-04-14.