Jarsigner for windows 10. File Overview
A keystore type defines the storage and data format of the keystore information and the algorithms used to protect private keys in the keystore and the integrity of the keystore itself. Keystore implementations of different types are not compatible. The jarsigner and policytool commands can read file-based keystores from any location that can be specified using a URL. For the jarsigner and keytool commands, you can specify a keystore type at the command line with the -storetype option.
If you do not explicitly specify a keystore type, then the tools choose a keystore implementation based on the value of the keystore. The security properties file is called java. Each tool gets the keystore. It then uses the keystore implementation from that provider. The KeyStore class defines a static method named getDefaultType that lets applications and applets retrieve the value of the keystore. The following line of code creates an instance of the default keystore type as specified in the keystore.
The default keystore type is jks the proprietary type of the keystore implementation provided by Oracle. This is specified by the following line in the security properties file:. Case does not matter in keystore type designations. For example, JKS is the same as jks. To have the tools use a keystore implementation other than the default, change that line to specify a different keystore type. For example, if you have a provider package that supplies a keystore implementation for a keystore type called pkcs12 , then change the line to the following:.
By default, the jarsigner command signs a JAR file using one of the following algorithms:. These default signature algorithms can be overridden using the -sigalg option.
A signature block file with a. DSA ,. RSA , or. EC extension. The base file names for these two files come from the value of the -sigFile option. If no -sigfile option appears on the command line, then the base file name for the. SF and. DSA files is the first 8 characters of the alias name specified on the command line, all converted to uppercase.
If the alias name has fewer than 8 characters, then the full alias name is used. Valid characters include letters, digits, underscores, and hyphens. A signature file. SF file looks similar to the manifest file that is always included in a JAR file when the jarsigner command is used to sign the file.
For each source file included in the JAR file, the. SF file has three lines, such as in the manifest file, that list the following:. In the manifest file, the SHA digest value for each source file is the digest hash of the binary data in the source file.
In the. SF file, the digest value for a specified source file is the hash of the three lines in the manifest file for the source file. The signature file, by default, includes a header with a hash of the whole manifest file. The header also contains a hash of the manifest header.
The presence of the header enables verification optimization. SF file is signed and the signature is placed in the signature block file. This file also contains, encoded inside it, the certificate or certificate chain from the keystore that authenticates the public key corresponding to the private key used for signing. The file has the extension. EC , depending on the digest algorithm used. The jarsigner command can generate and store a signature time stamp when signing a JAR file.
In addition, jarsigner supports alternative signing mechanisms. This behavior is optional and is controlled by the user at the time of signing through these options.
See Options. A successful JAR file verification occurs when the signatures are valid, and none of the files that were in the JAR file when the signatures were generated have changed since then.
JAR file verification involves the following steps:. The verification ensures that the signature stored in each signature block. DSA file was generated using the private key corresponding to the public key whose certificate or certificate chain also appears in the.
DSA file. It also ensures that the signature is a valid signature of the corresponding signature. SF file, and thus the. SF file was not tampered with. Verify the digest listed in each entry in the. SF file with each corresponding section in the manifest.
SF file by default includes a header that contains a hash of the entire manifest file. When the header is present, the verification can check to see whether or not the hash in the header matches the hash of the manifest file.
If there is a match, then verification proceeds to the next step. If there is no match, then a less optimized verification is required to ensure that the hash in each source file information section in the.
SF file equals the hash of its corresponding section in the manifest file. See Signature File. One reason the hash of the manifest file that is stored in the. SF file header might not equal the hash of the current manifest file is that one or more files were added to the JAR file with the jar tool after the signature and.
SF file were generated. When the jar tool is used to add files, the manifest file is changed by adding sections to it for the new files, but the. SF file is not changed. A verification is still considered successful when none of the files that were in the JAR file when the signature was generated have been changed since then. This happens when the hashes in the non-header sections of the.
SF file equal the hashes of the corresponding sections in the manifest file. Read each file in the JAR file that has an entry in the.
SF file. While reading, compute the file’s digest and compare the result with the digest for this file in the manifest section. The digests should be the same or verification fails.
If any serious verification failures occur during the verification process, then the process is stopped and a security exception is thrown.
The jarsigner command catches and displays the exception. Note: You should read any addition warnings or errors if you specified the -strict option , as well as the content of the certificate by specifying the -verbose and -certs options to determine if the signature can be trusted.
A JAR file can be signed by multiple people by running the jarsigner command on the file multiple times and specifying the alias for a different person each time, as follows:. When a JAR file is signed multiple times, there are multiple. In the previous example, the output JAR file includes files with the following names:. The following sections describe the various jarsigner options.
Be aware of the following standards:. Items that are in italics or underlined option values represent the actual values that must be supplied. The -storepass , -keypass , -sigfile , -sigalg , -digestalg , -signedjar , and TSA-related options are only relevant when signing a JAR file; they are not relevant when verifying a signed JAR file. The -keystore option is relevant for signing and verifying a JAR file.
In addition, aliases are specified when signing and verifying a JAR file. Specifies the URL that tells the keystore location. This defaults to the file. A keystore is required when signing. You must explicitly specify a keystore when the default keystore does not exist or if you want to use one other than the default.
A keystore is not required when verifying, but if one is specified or the default exists and the -verbose option was also specified, then additional information is output regarding whether or not any of the certificates used to verify the JAR file are contained in that keystore. The -keystore argument can be a file name and path specification rather than a URL, in which case it is treated the same as a file: URL, for example, the following are equivalent:. Specifies the type of keystore to be instantiated.
The default keystore type is the one that is specified as the value of the keystore. If none is specified, then the keytool and jarsigner commands prompt for the token PIN. If the token has a protected authentication path such as a dedicated PIN-pad or a biometric reader , then the -protected option must be specified and no password options can be specified.
Specifies the password that is required to access the keystore. This is only needed when signing not verifying a JAR file. In that case, if a -storepass option is not provided at the command line, then the user is prompted for the password. If the modifier env or file is not specified, then the password has the value argument. Otherwise, the password is retrieved as follows:. Note: The password should not be specified on the command line or in a script unless it is for testing purposes, or you are on a secure system.
Specifies the password used to protect the private key of the keystore entry addressed by the alias specified on the command line. The password is required when using jarsigner to sign a JAR file. If no password is provided on the command line, and the required password is different from the store password, then the user is prompted for it.
Specifies the base file name to be used for the generated. DSA files. Only letters, numbers, underscore, and hyphen characters are allowed. All lowercase characters are converted to uppercase for the. DSA file names. DSA files is the first 8 characters of the alias name specified on the command line, all converted to upper case.
This algorithm must be compatible with the private key used to sign the JAR file. There must either be a statically installed provider supplying an implementation of the specified algorithm or the user must specify one with the -providerClass option; otherwise, the command will not succeed.
Specifies the name of the message digest algorithm to use when digesting the entries of a JAR file. If this option is not specified, then SHA is used.
If the -certs option appears on the command line with the -verify and -verbose options, then the output includes certificate information for each signer of the JAR file. This information includes the name of the type of certificate stored in the. DSA file that certifies the signer’s public key, and if the certificate is an X.
XCertificate , then the distinguished name of the signer. The keystore is also examined. If no keystore value is specified on the command line, then the default keystore file if any is checked.
If the public key certificate for a signer matches an entry in the keystore, then the alias name for the keystore entry for that signer is displayed in parentheses. Specifies the certificate chain to be used when the certificate chain associated with the private key of the keystore entry that is addressed by the alias specified on the command line is not complete.
This can happen when the keystore is located on a hardware token where there is not enough capacity to hold a complete certificate chain. The file can be a sequence of concatenated X. When the -verbose option appears on the command line, it indicates verbose mode, which causes jarsigner to output extra information about the progress of the JAR signing or verification. In the past, the. DSA signature block file generated when a JAR file was signed included a complete encoded copy of the.
SF file signature file also generated. This behavior has been changed. To reduce the overall size of the output JAR file, the. DSA file by default does not contain a copy of the. SF file anymore. If -internalsf appears on the command line, then the old behavior is utilized.
This option is useful for testing. In practice, do not use the -internalsf option because it incurs higher overhead. If the -sectionsonly option appears on the command line, then the. SF file signature file generated when a JAR file is signed does not include a header that contains a hash of the whole manifest file. It contains only the information and hashes related to each individual source file included in the JAR file.
By default, this header is added, as an optimization. When the header is present, whenever the JAR file is verified, the verification can first check to see whether the hash in the header matches the hash of the whole manifest file.
When there is a match, verification proceeds to the next step. When there is no match, it is necessary to do a less optimized verification that the hash in each source file information section in the.
The -sectionsonly option is primarily used for testing. It should not be used other than for testing because using it incurs higher overhead. Values can be either true or false. Specify true when a password must be specified through a protected authentication path such as a dedicated PIN reader.
Used to specify the name of cryptographic service provider’s master class file when the service provider is not listed in the java. Used with the -providerArg ConfigFilePath option, the keytool and jarsigner tools install the provider dynamically and use ConfigFilePath for the path to the token configuration file. If more than one provider was configured in the java. The argument to this option is the name of the provider.
For example, the following command lists the contents of the PKCS 11 keystore provider instance with name suffix SmartCard :.
Next , please confirm file verion, and select the proper download link. Check here go to the Search input box.
You can try to use this file finder. The method is very simple. Enter the file name, and you will find many versions of this file. Select the file version you need to download, this tool will automatically download a complete file for you. Click Here Download File Finder.
Please select the message type: It’s a common message I need help! This is a message for seeking help when you choose this option, please fill in your Email correctly, and we will reply to you as soon as possible. Home Articles. Sun Microsystems, Inc. All rights reserved. Copyright c Copyright? The file should be stored in the actual installation path of the software. Tip: If you cannot find the software installation path, you can follow the path suggested above, find one by one, and put the file inside the path found.
Tip: How to correctly select the file you need 1. If you know MD5 value of the required files, it is the best approach to make choice 2. If your original file is just corrupted but not lost, then please check the version number of your files. Method: Click your original file, and then click on the right key to select “Properties” from the pop-up menu, you can see the version number of the files 3. If your operating system is bit, you must download bit files, because bit programs are unable to run in the bit operating system.
Jarsigner for windows 10.File Overview
Next , please confirm file verion, and select the proper download link. Check here go to the Search input box. You can try to use this file finder. The method is very simple. Enter the file name, and you will find many versions of this file. Select the file version you need to download, this tool will automatically download a complete file for you. Click Here Download File Finder. Please select the message type: It’s a common message I need help! If none of the previous three troubleshooting steps have resolved your issue, you can try a more aggressive approach Note: Not recommended for amateur PC users by downloading and replacing your appropriate jarsigner.
Please follow the steps below to download and properly replace you file:. If this final step has failed and you’re still encountering the error, you’re only remaining option is to do a clean installation of Windows To avoid data loss, you must be sure that you have backed-up all of your important documents, pictures, software installers, and other personal data before beginning the process. If you are not currently backing up your data, you need to do so immediately.
Sun Microsystems typically does not release NetBeans EXE files for download because they are bundled together inside of a software installer. The installer’s task is to ensure that all correct verifications have been made before installing and placing jarsigner.
An incorrectly installed EXE file may create system instability and could cause your program or operating system to stop functioning altogether. Proceed with caution.
You are downloading trial software. Subscription auto-renews at the end of the term Learn more. Average User Rating. Find centralized, trusted content and collaborate around the technologies you use most. Connect and share knowledge within a single location that is structured and easy to search. I’ve used both machines to successfully build Android apps many times and sign them both with a debug key for testing and a release key from my own keystore, so it should be somewhere on each machine.
Returns a command not found error on both machines, however. If you only have the JRE installed you probably don’t have it. For posterity’s sake, if you are trying to actually use jarsigner to sign a jar file such as that of an applet with a keystore, you’ll need to reference jarsigner while running the command from the folder that your keystore is in:.
The above might be obvious, but it took me a few tries because I was trying to call jarsigner while inside the JDK folder, which had no knowledge of where my keystore was in the jre directory! If you can’t find it, download and install Java JDK from here. Unfortunately, you cannot have both of them installed in the same variable so you just need to overwrite the variable with new JDK installation path. For me the solution was in setting the global variable path to the JDK.
Stack Overflow for Teams — Start collaborating and sharing organizational knowledge. Create a free Team Why Teams? The fully qualified class name identifies a class file that extends the com. ContentSigner abstract class. The path to this class file is defined by the -altsignerpath option. If the -altsigner option is used, then the jarsigner command uses the signing mechanism provided by the specified class.
Otherwise, the jarsigner command uses its default signing mechanism. For example, to use the signing mechanism provided by a class named com. AuthSigner , use the jarsigner option -altsigner com. Specifies the path to the class file and any JAR file it depends on.
The class file name is specified with the -altsigner option. An absolute path or a path relative to the current directory can be specified. If classpathlist contains multiple paths or JAR files, then they should be separated with a colon : on Oracle Solaris and a semicolon ; on Windows.
This option is not necessary when the class is already in the search path. The following example shows how to specify the path to a JAR file that contains the class file.
The JAR file name is included. The following example shows how to specify the path to the JAR file that contains the class file. The JAR file name is omitted. During the signing or verifying process, the command may issue warning messages. If you specify this option, the exit code of the tool reflects the severe warning messages that this command found.
For the verifying process, the -verbose option takes suboptions to determine how much information is shown. If the -certs option is also specified, then the default mode or suboption all displays each entry as it is being processed, and after that, the certificate information for each signer of the JAR file.
If the -certs and the -verbose:grouped suboptions are specified, then entries with the same signer info are grouped and displayed together with their certificate information. If -certs and the -verbose:summary suboptions are specified, then entries with the same signer information are grouped and displayed together with their certificate information. Details about each entry are summarized and displayed as one entry and more. See Examples. During the signing or verifying process, the jarsigner command may issue various errors or warnings.
If there is a failure, the jarsigner command exits with code 1. If there is no failure, but there are one or more severe warnings, the jarsigner command exits with code 0 when the -strict option is not specified, or exits with the OR-value of the warning codes when the -strict is specified. If there is only informational warnings or no warning at all, the command always exits with code 0.
Note: Exit codes are reused because only the values from 0 to are legal on Unix-based operating systems. The following sections describes the names, codes, and descriptions of the errors and warnings that the jarsigner command can issue. Reasons why the jarsigner command fails include but are not limited to a command line parsing error, the inability to find a keypair to sign the JAR file, or the verification of a signed JAR fails.
Note: Severe warnings are reported as errors if you specify the -strict option. Reasons why the jarsigner command issues a severe warning include the certificate used to sign the JAR file has an error or the signed JAR file has other problems. Code 8. This jar contains entries whose signer certificate’s KeyUsage extension doesn’t allow code signing. This jar contains entries whose signer certificate’s ExtendedKeyUsage extension doesn’t allow code signing. This jar contains entries whose signer certificate’s NetscapeCertType extension doesn’t allow code signing.
Informational warnings include those that are not errors but regarded as bad practice. They do not have a code. This jar contains signatures that does not include a timestamp. Use the following command to sign bundle. There is no -sigfile specified in the previous command so the generated. They are named JANE. If you want to be prompted for the store password and the private key password, then you could shorten the previous command to the following:.
If the keystore is the default keystore. To verify a signed JAR file to ensure that the signature is valid and the JAR file was not been tampered with, use a command such as the following:.
When the verification is successful, jar verified is displayed. Otherwise, an error message is displayed. You can get more information when you use the -verbose option. A sample use of jarsigner with the -verbose option follows:. If you specify the -certs option with the -verify and -verbose options, then the output includes certificate information for each signer of the JAR file.
The information includes the certificate type, the signer distinguished name information when it is an X. If the certificate for a signer is not an X. In that case, just the certificate type and the alias are shown.
If the JAR file was signed by both an alias in an identity database and an alias in a keystore, then both k and i appear. When the -certs option is used, any identity database aliases are shown in brackets rather than the parentheses used for keystore aliases, for example:.
Note: The alias duke is in brackets to denote that it is an identity database alias, and not a keystore alias. Categories Uncategorized. November 18, at am. August 21, at pm. November 26, at pm. July 14, at am.
VNCoupon says:. August 23, at am. September 9, at pm.