jarsigner(1) jarsigner(1) jarsigner - Java(JAR) jarsigner [ options ] jar-file alias jarsigner -verify [ options ] jar-file [alias ...] options -verify -verifyJAR0-verifyjarsignerJAR-keystore -strictjarsignerjar jar-file JAR -strictjarsignerjar - alias -keystore jarsigner2 o Java(JAR) o JAR JARjarJAR(ZIPJARjarJARjarsignerJARMETA-INF/MANIFEST.MF) ()() o o o o /1 jarsignerJARX.509keytool jarsignerJARjarsigner()JAR jarsignerJAR(Java Plug-in)API jarsignerjarZIPJARJARZIPJARMETA-INF/MANIFEST.MFMETA-INF/MANIFEST.MFjarsignerZIP jarsignerJARZIP-verifyJAR jarsigner-strict jarsignerJARworkingmystoredukeMyJARFile.jarJARMyJARFile.jarJAR jarsigner -keystore /working/mystore -storepass -keypass MyJARFile.jar duke jarsignerURL-keystoreuser.home.keystore Oracle Solarisuser.home -keystoreKeyStore.loadURLNONEnullKeyStore.loadNONEKeyStore java.security packageKeyStore 2(keytooljarsigner)1GUIKeyStoreJDK OracleJKS()() KeyStore(SPI)KeystoreSpijava.security packageJava Security APIhttp://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html JavaKeystoreSpi KeyStoregetInstance jarsignerpolicytoolURLWindowsMSCAPIPKCS11 jarsignerkeytool-storetype keystore.typejava.securityJDKjava.home/lib/securityjava.homejreJDKJava Runtime Environment (JRE) keystore.type KeyStorestaticgetDefaultTypekeystore.typekeystore.type property KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); jks (Oracle) keystore.type=jks JKSjks pkcs12 keystore.type=pkcs12 : PKCS 11http://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html Java PKCS #11KeyToolJarSigner jarsignerJAR o SHA1(DSA) o SHA256RSA o SHA256(ECDSA)(EC) DSAjarsignerSHA1withDSAJARRSAjarsignerSHA256withRSAJARECjarsignerSHA256withECDSAJAR -sigalg JAR jarsignerJARJARJAR2META-INF o .SF o .DSA.RSA.EC 2-sigFile-sigFile MKSIGNMKSIGN.SFMKSIGN.DSA -sigfile.SF.DSA88(_) (.SF)jarsignerJARJAR.SF3 o o (SHA) o SHA SHA().SF3 JAR .SF.DSA.RSA.EC jarsignerJARjarsigner -tsa url -tsacert alias -altsigner class -altsignerpath classpathlist -tsapolicyid policyid JAR JARJARJAR 1. .SF (.DSA)().DSA(.SF).SF 2. .SF .SF .SF .SF1.SF(jar)1JARjar.SFJAR.SF 3. .SFJAR jarsigner : (-strict)(-verbose-certs) 1JAR jarsigner1JAR jarsigner myBundle.jar susan jarsigner myBundle.jar kevin JARJAR.SF.DSA11JAR SUSAN.SF SUSAN.DSA KEVIN.SF KEVIN.DSA jarsigner o (-) o o () o -storepass-keypass-sigfile-sigalg-digestalg-signedjarTSAJARJAR-keystore JARJAR -keystore url URLuser.home.keystore -verboseJAR1 -keystoreURL: URL -keystore filePathAndName -keystore file:filePathAndName (JRE$JAVA_HOME/lib/security directory) java.securitySun PKCS #11keytooljarsignerPKCS#11 -keystore NONE -storetype PKCS11 PKCS#11 keytool -keystore NONE -storetype PKCS11 -list -storetype storetype keystore.typejava.security.KeyStorestatic getDefaultType -storepassPCKS #11PINkeytooljarsignerPIN(PIN)-protected -storepass[:env | :file] argument JAR()-storepass envfileargument o env: argument o file: argument : -keypass [:env | :file] argument jarsignerJAR envfileargument o env: argument o file: argument : -sigfile file .SF.DSADUKESIGN.SF.DSADUKESIGN.SFDUKESIGN.DSAJARMETA-INF a-zA-Z0-9_-.SF.DSA -sigfile.SF.DSA88(_) -sigalg algorithm JAR http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA Java Cryptography Architecture (JCA)A: JARSHA1withDSASHA256withRSASHA256withECDSA-providerClass -digestalg algorithm JAR http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA Java Cryptography Architecture (JCA)A: SHA256-providerClass -certs -certs-verify-verboseJAR(.DSA)X.509(java.security.cert.X509Certificate) () -certchain file X.509PKCS#7Internet RFC 1421(Base64)RFC 1421http://tools.ietf.org/html/rfc1421 -verbose -verbosejarsignerJAR -internalsf JAR.DSA ().SF() JAR.DSA.SF-internalsf-internalsf -sectionsonly -sectionsonlyJAR.SF()JAR JAR.SFJAR -sectionsonly -protected truefalsePINtrue -providerClass provider-class-name java.security -providerArg ConfigFilePathkeytooljarsignerConfigFilePathOracle PKCS #11PKCS #11 jarsigner -keystore NONE -storetype PKCS11 \ -providerClass sun.security.pkcs11.SunPKCS11 \ -providerArg /mydir1/mydir2/token.config \ -list -providerName providerName java.security2-providerName Oracle PKCS #11providerNameSunPKCS11-TokenNameTokenNameSmartCardPKCS #11 jarsigner -keystore NONE -storetype PKCS11 \ -providerName SunPKCS11-SmartCard \ -list -Jjavaoption javaoptionJavajarsignerjava -hjava -X -tsa url -tsa http://example.tsa.urlJARURL http://example.tsa.urlTime Stamping Authority (TSA)-tsacertURL-tsaTSA jarsignerRFC 3161(TSP)TSATSA -tsacert alias -tsacert aliasJARTSATSAURLSubject Information Access -tsacertTSA -tsapolicyid policyid TSAID(OID)IDTSAID ITU Telecommunication Standardization Sector (ITU-T)X.6961.2.3.4 -altsigner class com.sun.jarsigner.ContentSigner-altsignerpath-altsignerjarsignerjarsigner com.sun.sun.jarsigner.AuthSignerjarsigner-altsigner com.sun.jarsigner.AuthSigner -altsignerpath classpathlist JAR-altsignerJARJAR classpathlistJAROracle Solaris(:)Windows(;) JARJAR -altsignerpath /home/user/lib/authsigner.jar JARJAR -altsignerpath /home/user/classes/com/sun/tools/jarsigner/ -strict -verbose suboptions -verbose-certs(all)JAR-certs-verbose:grouped-certs-verbose:summary1() jarsigner jarsigner11-strictjarsigner0-strictOR0 KeyUsage-strictjarsigner12 (=4+8) : SolarisLinuxOS X0255 jarsigner JARJAR()jarsigner failure 1 : -strict JARJARjarsigner hasExpiredCert 4jar notYetValidCert 4jar chainNotValidated 4jar badKeyUsage 8JARKeyUsage badExtendedKeyUsage 8jarExtendedKeyUsage badNetscapeCertType 8jarNetscapeCertType hasUnsignedEntry 16jar notSignedByAlias 32jar aliasNotInStore 32jar hasExpiringCert jar6 noTimestamp jar(YYYY-MM-DD)JAR JAR workingmystorejanebundle.jarJARsbundle.jar jarsigner -keystore /working/mystore -storepass -keypass -signedjar sbundle.jar bundle.jar jane -sigfileJAR.SF.DSAJANE.SFJANE.DSA jarsigner -keystore /working/mystore -signedjar sbundle.jar bundle.jar jane (.keystore) jarsigner -signedjar sbundle.jar bundle.jar jane JAR(bundle.jar)JAR-signedjar jarsigner bundle.jar jane JAR JARJAR jarsigner -verify sbundle.jar jar verified-verbosejarsigner-verbose jarsigner -verify -verbose sbundle.jar 198 Fri Sep 26 16:14:06 PDT 1997 META-INF/MANIFEST.MF 199 Fri Sep 26 16:22:10 PDT 1997 META-INF/JANE.SF 1013 Fri Sep 26 16:22:10 PDT 1997 META-INF/JANE.DSA smk 2752 Fri Sep 26 16:12:30 PDT 1997 AclEx.class smk 849 Fri Sep 26 16:12:46 PDT 1997 test.class s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore jar verified. -certs-verify-verboseJAR(X.509)JAR jarsigner -keystore /working/mystore -verify -verbose -certs myTest.jar 198 Fri Sep 26 16:14:06 PDT 1997 META-INF/MANIFEST.MF 199 Fri Sep 26 16:22:10 PDT 1997 META-INF/JANE.SF 1013 Fri Sep 26 16:22:10 PDT 1997 META-INF/JANE.DSA 208 Fri Sep 26 16:23:30 PDT 1997 META-INF/JAVATEST.SF 1087 Fri Sep 26 16:23:30 PDT 1997 META-INF/JAVATEST.DSA smk 2752 Fri Sep 26 16:12:30 PDT 1997 Tst.class X.509, CN=Test Group, OU=Java Software, O=Oracle, L=CUP, S=CA, C=US (javatest) X.509, CN=Jane Smith, OU=Java Software, O=Oracle, L=cup, S=ca, C=us (jane) s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore jar verified. X.509PGPbobPGP, (bob) o jar(1) o keytool(1) o http://docs.oracle.com/javase/tutorial/security/index.html : Java SE JDK 8 20131121 jarsigner(1)