|jarsigner||JAR Signing and Verification Tool
jarsigner [options] jarfile signer
jarsigner -verify jarfile
digital signature to the specified
jarfile, or, if the
-verify option is specified, it verifies the
digital signature or signatures already attached to the JAR file. The
specified signer is a case-insensitive
nickname or alias for the entity whose signature is to be used. The
specified signer name is used to look up
the private key that generates the signature.
When you apply your digital signature to a JAR file, you are
implicitly vouching for the contents of the archive. You are offering
your personal word that the JAR file contains only nonmalicious code,
files that do not violate copyright laws, and so forth. When you
verify a digitally signed JAR file, you can determine who the signer
or signers of the file are and (if the verification succeeds) that
the contents of the JAR file have not been changed, corrupted, or
tampered with since the signature or signatures were applied.
Verifying a digital signature is entirely different from deciding
whether or not you trust the person or organization whose signature
jarsigner and the related
keytool program replace the
javakey program of Java 1.1.
jarsigner defines a number of options, many of
which specify how a private key is to be found for the specified
signer. Most of these options are
unnecessary when using the -verify option to
verify a signed JAR file:
If this option is
specified along with either the -verify or
-verbose option, it causes
jarsigner to display details of the public key
certificates associated with the signed JAR file.
- -J javaoption
Passes the specified javaoption directly
to the Java interpreter.
- -keypass password
Specifies the password that encrypts
the private key of the specified signer.
If this option is not specified, jarsigner
prompts you for the password.
- -keystore url
A keystore is
a file that contains keys and certificates. This option specifies the
filename or URL of the keystore in which the private and public key
certificates of the specified signer are
looked up. The default is the file named
.keystore in the user's home
directory (the value of the system property
user.home). This is also the default location of
the keystore managed by keytool.
- -sigfile basename
Specifies the base names of the .SF and
.DSA files added to the
META-INF/ directory of the JAR file. If you
leave this option unspecified, the base filename is chosen based on
the signer name.
- -signedjar outputfile
Specifies the name for the signed JAR file created by
jarsigner. If this option is not specified,
jarsigner overwrites the
jarfile specified on the command line.
- -storepass password
Specifies the password that verifies the integrity of the keystore
(but does not encrypt the private key). If this option is omitted,
jarsigner prompts you for the password.
- -storetype type
Specifies the type of keystore
specified by the -keystore option. The default is
the system-default keystore type, which on most systems is the Java
Keystore type, known as JKS. If you have the Java
Cryptography Extension installed, you may want to use a
JCEKS keystore instead.
Displays extra information about the signing or verification process.
Specifies that jarsigner should verify the
specified JAR file rather than sign it.