JARSIGNER

> What is a JAR files?

JAR stands for Java Archive, used for packaging all java class files in a zip format. They're primarily used for packaging large java based project containing multiple class files into one single file. These JAR files can be used as a java library or a java executable package.

> Working with JAR files.

- Create a JAR file containing a single file

jar -cf test.jar test.txt

- Creating jar of multiple files.

Command below creates ten text files.

for n in {1..10}; do echo "Hello" > file$n; done

Now we'll use wildcard to archive those files into a jarfile.

jar -cf test.jar file*

- Extracting contents of a jar file.

jar -xf test.jar

> Generating key required for signing a jar file.

Create a keystore containing your signing keys.

keytool -genkey -alias signingKey -keyalg RSA -keysize 2048 -sigalg sha256WithRSA -validity 365 -keystore myStore.p12 -storetype pkcs12 -dname "CN=SigningKey,O=Home,OU=HomePKI,Email=pki@home.lab" -ext KU:C="digitalSignature" -ext EKU:C="codeSigning" -ext BC:C="ca:false"

Preferably get it signed by a CA.

keytool -certreq -alias signingkey -keystore myStore.p12 -storetype pkcs12 -file signingKey.csr

Generate a P7B file after getting the signed certificates.

openssl crl2pkcs7 -nocrl -certfile cacerts.cer -certfile signingKey.cer -out signingKey.p7b

Import signed certificate into your keystore.

keytool -importcert -file signingKey.p7b -keystore myStore.p12 -storetype pkcs12 -alias signingKey

> Signing and Verifying a JAR File.

- Verifying a signed JAR file.

Check if a jar file is signed.

jarsigner -verify ../Softwares/BouncyCastle/bcprov-ext-jdk18on-171.jar

Check if a jar file is signed with a verbose output.

jarsigner -verify ../Softwares/BouncyCastle/bcprov-ext-jdk18on-171.jar -verbose

Check if a jar file is signed or not with verbose output and certificates used.

jarsigner -verify ../Softwares/BouncyCastle/bcprov-ext-jdk18on-171.jar -verbose -certs

Check if a jar file is signed or not with verbose output with a summary of certificates used.

jarsigner -verify ../Softwares/BouncyCastle/bcprov-ext-jdk18on-171.jar -verbose:summary -certs

- Signing a jar file

Use a signing key stored inside a keystore to sign a jar file

jarsigner -keystore myStore.p12 -storetype pkcs12 SolarSystem.jar signingKey

Create a separate signed jar file after signing a jar file.

jarsigner -keystore myStore.p12 -storetype pkcs12 -signedjar SolarSystem_signed.jar SolarSystem.jar signingKey

Add a timestamped signature to the signed jar file.

jarsigner -keystore myStore.p12 -storetype pkcs12 -signedjar SolarSystem_signed.jar -tsa http://timestamp.globalsign.com/tsa/r6advanced1 SolarSystem.jar signingKey

If a jarfile is signed using a self-signed certificate or a private CA signed certificate then this command may result in some warning

jarsigner -verify SolarSystem_signed.jar

If you use a truststore containing all certificates then this command will only give warning about TSA

jarsigner -verify SolarSystem_signed.jar -keystore truststore

- List of timestamping authorities

https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710