File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Security and the fly likes jarsigner Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "jarsigner" Watch "jarsigner" New topic


Mark Binau
Ranch Hand

Joined: Mar 04, 2004
Posts: 37
Howdy Y'all,
Greenhorn is an accurate descriptor for me with regards to this topic. We have an applet which writes to the client's hard drive and so we had to get a Code Signing Certificate. We purchased it from Thawte and it has been working great. We initially signed our applet with signtool.
I am now in the process of trying to create an ANT script which will include the generation of the signed jar file. As far as I can see ANT wants to use jarsigner instead of signtool. (Can anyone point me to an ANT task which works with signtool?) Jarsigner would be fine with me if I could get it to work.
I have read through the jarsigner and keytool documentation from Sun. It indicates that you must first use keytool to generate a private/public key pair and then export a Certificate Signing Request. However, the person who was involved in the purchase of the Code Signing Certificate from Thawte has indicated that for a Code Signing Certificate we did not need to generate such a request and that Thawte sent us a private key (mykey.pvk) and then we downloaded from Thawte the mycert.spc file. Does this sound right?
I have the "mycert.spc" and "mykey.pvk" files which we purchased from Thawte. I have used PVKIMPRT.EXE tool from Microsoft to create a PKCS12 keystore (keystore.pfx). When prompted by the export wizard I told it to export my private key. I have used code from a previous post on this site to determine the alias (thanks Pankaj Kr!). I then used the command:

jarsigner prompts me for the password and returns:

It does not sign the jar file. Does anyone know why this did not work? I printed the certificate from the keystore and can see that the X.500 Distinguished Name appears to be correct.
I have also used keytool to export the certificate from the PKCS12 keystore and import it into a JKS keystore. Jarsigner then returns:

Please enlighten me! Thanks in advance for your help!!
Mark Binau
Ranch Hand

Joined: Mar 04, 2004
Posts: 37
I upgraded to use the jarsigner.exe that came with J2SDK 1.4.2 and it works just fine.
I agree. Here's the link:
subject: jarsigner
It's not a secret anymore!