Presents your JAVA E-NEWSLETTER for September 19, 2002 <-------------------------------------------> SIGN A JAR While developers using production versions of commercial systems will purchase certificates with which to sign their JARs, the average developer on the street can quite happily sign a JAR with an anonymous certificate. Signing a JAR depends on two tools: You use keytool to create a key and JARsigner to sign the JAR with the key. This way, the same key may be used to sign all of a company's or developer's JARs. Why do JARs need signing? When a user starts up a Java Network Launching Protocol (JNLP) file or uses an applet, the JNLP or applet requests more access to the system than is normally provided. For example, it may have a File | Open menu option with which to load in a .csv file. The signed JAR is needed to make this request. If it's anonymous, then the system will ask if the user is prepared to trust the signer of the JAR. Below is an example of keytool. In a real situation, make sure you use good keypass and keystore passwords. You'll need these later to sign the JAR. > keytool -genkey -alias csv -keypass 'invasion:earth' Enter keystore password: harry:Harrison What is your first and last name? [Unknown]: bayard What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: generationjava.com What is the name of your City or Locality? [Unknown]: Springfield What is the name of your State or Province? [Unknown]: What is the two-letter country code for this unit? [Unknown]: US Is correct? [no]: yes Once this is done, keytool will generate a binary file in your home directory named .keystore. Running keytool -list can show you the entries in keystore. > keytool -list Enter keystore password: harry:Harrison Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry: csv, Tue Feb 05 22:49:44 EST 2002, keyEntry, Certificate fingerprint (MD5): E8:FC:38:E3:59:72:0A:86:7F:57:C0:D3:4C:8E:25:FC Once you have this key, you just need to sign a JAR with it and supply the alias, which was created using keytool. This is done with the JARsigner tool: > JARsigner -verbose Csv.JAR csv Enter Passphrase for keystore: harry:Harrison Enter key password for csv: invasion:earth updating: META-INF/MANIFEST.MF adding: META-INF/CSV.SF adding: META-INF/CSV.DSA signing: com/generationjava/lang/NumberW.class signing: com/generationjava/io/Csv.class ...snip...lots of classes... This adds two files to your JAR: META-INF/CSV.SF and META-INF/CSV.DSA. The DSA file contains a binary encryption key, and the SF file contains a list of each class in the JAR and an SHA-1 Digest of each file, so that they may be verified for authenticity. Your JAR is now signed. Running JARsigner -verbose -verify Csv.JAR will confirm that the JAR is successfully signed, providing you with more power in your JNLP or applet sandbox. ----------------------------------------