Perform Signing with Jarsigner and PKCS#11 Library
Code signing is a critical process in software development that ensures the authenticity and integrity of applications, protecting them from tampering and unauthorized modifications. To enhance this process, Encryption Consulting’s PKCS#11 library offers a powerful solution for performing code signing with Jarsigner across multiple operating systems, including Windows, Linux (Ubuntu), and macOS.
Jarsigner
The Jarsigner tool, included in the Java Development Kit (JDK), provides a robust mechanism for digitally signing files, making it an essential tool for Java developers distributing applications across various platforms.
It helps to sign the below mentioned file types:
- .jar: Java Archive files, which are general-purpose archives for Java classes and resources.
- .ear: Enterprise Archive files, used for packaging Java EE enterprise applications.
- .war: Web Application Archive files, used for packaging Java web applications.
- .sar: Service Archive files, used for packaging services in some Java EE environments.
Configuration of PKCS#11 Wrapper on Ubuntu
Prerequisites
Before we look into the process of signing using Jarsigner Tool and our PKCS11 Wrapper in Linux (Ubuntu) machine, ensure the following are ready:
- Ubuntu Version: Ubuntu version 22.04 or later (tested environment is Ubuntu 24.02)
- Dependencies: Install liblog4cxx12 and curl.
To install the dependencies, run the following commands
- sudo apt-get install curl
- sudo apt-get install liblog4cxx12
Installing EC’s PKCS#11 Wrapper
Step 1: Go to EC CodeSign Secure’s v3.02’s Signing Tools section and download the PKCS#11 Wrapper for Ubuntu.
Step 2: After that, generate a P12 Authentication certificate from the System Setup > User > Generate Authentication Certificate dropdown.
Step 3: Go to your Ubuntu client system and edit the configuration files (ec_PKCS#11client.ini and PKCS#11properties.cfg) downloaded in the PKCS#11 Wrapper.
Install Java on your Ubuntu machine.
You will also need to install Java (Java 8-17) on your Ubuntu machine for Jarsigner to work with our PKCS11 Wrapper.
Step 1: Install Java 17 on your Ubuntu machine.
sudo apt install openjdk-17-jdk
Step 2: Set Java 17 as the active version
sudo update-alternatives –config java
Step 3: Check whether Java has been installed properly or not
java -version
Step 4: Set Java 17 as the active version.
Run: nano ~/.bashrc
After running the above command, add these lines at the end of the file:
export JAVA_HOME=<Path of Java 17 bin folder>
export PATH=$JAVA_HOME/bin:$PATH
Press Ctrl + X, then Y to confirm, and then Enter to save.
Step 5: Reload the bashrc file
Run: source ~/.bashrc
Step 6: Check is the variable has been set
echo $JAVA_HOME
If not, then open a new terminal and try again.
Signing
Step 1: Change the working directory of the terminal to the folder that contains your “ec_pkcs11client.ini” and “pkcs11properties.cfg” files.
Step 2: Run the signing command from this directory.
<Path of Jarsigner tool> -keystore NONE -storepass NONE -storetype PKCS11 -sigalg SHA256withRSA -providerClass sun.security.pkcs11.SunPKCS11 -providerArg <Path of pkcs11properties.cfg> -signedjar <Path of the file after signing> <Path of the file to be signed> <Key alias of the signing certificate> -tsa http://timestamp.digicert.com
A sample command is provided below:
jarsigner -keystore NONE -storepass NONE -storetype PKCS11 -sigalg SHA256withRSA -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11properties.cfg -signedjar helloworld_signed.jar helloworld.jar gpg2 -tsa http://timestamp.digicert.com
Verification
Step 1: For Verification, run the following command:
<Path of Jarsigner tool> -verify <Path of the file after signing> -certs -verbose
Step 2: A sample command is provided below:
jarsigner -verify helloworld_signed.jar -certs -verbose
Configuration of PKCS#11 Wrapper on Windows
Prerequisites
Before we look into the process of using Jarsigner Tool and our PKCS11 Wrapper on a Windows machine, ensure the following are ready:
- Windows Version: Windows 11 (tested environment is Windows 11 23H2)
Installing EC’s PKCS#11 Wrapper
Step 1: Go to EC CodeSign Secure’s v3.02’s Signing Tools section and download the PKCS#11 Wrapper for Windows.
Step 2: After that, generate a P12 Authentication certificate from the System Setup > User > Generate Authentication Certificate dropdown.
Step 3: Go to your Windows client system and edit the configuration files (ec_PKCS#11client.ini and PKCS#11properties.cfg) downloaded in the PKCS#11 Wrapper.
Install Java on your Windows machine
You will also need to install Java (Java 8-22) on your Windows machine for Jarsigner to work with our PKCS11 Wrapper.
Step 1: Install Java 22 (.exe installer) on your Windows machine from Oracle’s official site.
Step 2: Follow the instructions to install Java 22 on your machine.
Step 3: Set Java 22 as the active version by storing the bin path in the PATH variable.
Signing
Step 1: Change the working directory of the terminal to the folder that contains your “ec_pkcs11client.ini” and “pkcs11properties.cfg” files.
Step 2: Run the signing command from this directory.
<Path of Jarsigner tool> -keystore NONE -storepass NONE -storetype PKCS11 -sigalg SHA256withRSA -providerClass sun.security.pkcs11.SunPKCS11 -providerArg <Path of pkcs11properties.cfg> -signedjar <Path of the file after signing> <Path of the file to be signed> <Key alias of the signing certificate> -tsa http://timestamp.digicert.com
A sample command is provided below:
jarsigner -keystore NONE -storepass NONE -storetype PKCS11 -sigalg SHA256withRSA -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11properties.cfg -signedjar helloworld_signed.jar helloworld.jar gpg2 -tsa http://timestamp.digicert.com
Verification
Step 1: For Verification, run the following command:
<Path of Jarsigner tool> -verify <Path of the file after signing> -certs -verbose
Step 2: A sample command is provided below:
jarsigner -verify helloworld_signed.jar -certs -verbose
Configuration of PKCS#11 Wrapper on MacOS
Prerequisites
Before we look into the process of using Jarsigner Tool and our PKCS11 Wrapper on a MacOS machine, ensure the following are ready:
- MacOS Version: Sequoia 15.2 (tested environment Sequoia 15.2)
- Dependencies: Install liblog4cxx and curl.
To install the dependencies, run the following commands
- brew install curl
- brew install log4cxx
Installing EC’s PKCS#11 Wrapper
Step 1: Go to EC CodeSign Secure’s v3.02’s Signing Tools section and download the PKCS#11 Wrapper for MacOS.
Step 2: After that, generate a P12 Authentication certificate from the System Setup > User > Generate Authentication Certificate dropdown.
Step 3: Go to your MacOS client system and edit the configuration files (ec_PKCS#11client.ini and PKCS#11properties.cfg) downloaded in the PKCS11 Wrapper.
Install Java on your MacOS machine.
You will also need to install Java (Java 8-17) on your MacOS machine for Jarsigner to work with our PKCS11 Wrapper.
Step 1: Install Java 17 on your MacOS machine.
brew install openjdk@17
Step 2: Find the location where Java 17 is installed on your machine
brew info to openjdk@17
Step 3: Set Java 17 as the active version.
For Zsh: nano ~/.zshrc
For Bash: nano ~/.bash_profile
After running the above command, add these lines:
export PATH=<Path of Java 17 bin folder>:$PATH
export JAVA_HOME=<Path of Java 17 bin folder>
Step 4: Reload the environment variables
For Zsh: source ~/.zshrc
For Bash: source ~/.bash_profile
Signing
Step 1: Change the working directory of the terminal to the folder that contains your “ec_pkcs11client.ini” and “pkcs11properties.cfg” files.
Step 2: Run the signing command from this directory.
<Path of Jarsigner tool> -keystore NONE -storepass NONE -storetype PKCS11 -sigalg SHA256withRSA -providerClass sun.security.pkcs11.SunPKCS11 -providerArg <Path of pkcs11properties.cfg> -signedjar <Path of the file after signing> <Path of the file to be signed> <Key alias of the signing certificate> -tsa http://timestamp.digicert.com
A sample command is provided below:
jarsigner -keystore NONE -storepass NONE -storetype PKCS11 -sigalg SHA256withRSA -providerClass sun.security.pkcs11.SunPKCS11 -providerArg pkcs11properties.cfg -signedjar helloworld_signed.jar helloworld.jar gpg2 -tsa http://timestamp.digicert.com
Verification
Step 1: For Verification, run the following command:
<Path of Jarsigner tool> -verify <Path of the file after signing> -certs -verbose
Step 2: A sample command is provided below:
jarsigner -verify helloworld_signed.jar -certs -verbose
Conclusion
Encryption Consulting’s CodeSign Secure takes code signing to the next level by offering a comprehensive platform that not only streamlines the signing process but also significantly bolsters organizational security. By leveraging advanced features like Hardware Security Module integration, client-side hashing, and virus scanning, CodeSign Secure ensures that signing keys remain safeguarded and that signed applications are free from malware.
CodeSign Secure integrates effortlessly into CI/CD pipelines, making it ideal for organizations aiming to automate and scale their development workflows while adhering to strict security policies. With detailed audit trails and policy enforcement, it provides transparency and accountability, helping businesses meet compliance requirements and build trust with their users.
By integrating seamlessly with Jarsigner, Encryption Consulting’s PKCS#11 library simplifies the configuration and execution of signing tasks, providing a consistent and secure experience regardless of the platform. Whether you’re developing on Windows, deploying on Ubuntu, or testing on macOS, this library empowers developers to maintain high security standards with minimal complexity.
