Java Code Signing Guide

General Information ID:    INFO1428    Updated:    03/16/2017

Description

To get a Java Code Signing Certificate please follow the steps below.

Step 1: Download Signing Tools

If you have not already done so, download the Java 2 Software Development Kit (SDK). The latest version is available free of charge for the Solaris SPARC/x86, Linux86, and Microsoft Windows platforms from http://java.sun.com/javase/downloads/index.jsp. Please make sure that you are using at least version 1.6.*

You will be using the keytool, jar, and jarsigner to apply for your Code Signing certificate and sign your code.
 

Step 2: Enrollment

Create a Keystore

To generate a public/private key pair, enter the following command, specifying a name for your keystore and an alias as well.

Note: The recommended key bit size is 2048-bit. All certificates that will expire after October 2013 must have a 2048 bit key size

keytool -genkey -keyalg rsa -keystore <keystore_filename> -alias <alias_name> -keysize 2048


Keytool prompts you to enter a password for your keystore, your name, organization, and address. The public/private key pair generated by keytool is saved to your keystore and will be used to sign Java Applets and applications. This key is never sent to Thawte and is required to sign code. Thawte encourages you to make a copy of the public/private key pair and store it in a safe deposit box or other secure location. If the key is lost or stolen, contact Thawte immediately to have it revoked.

Generate a CSR

You need to generate a Certificate Signing Request (CSR) for the enrollment process.

  1. The following command requests Keytool to create a CSR for the key pair in the keystore:
     
    keytool -certreq -file certreq.csr -keystore <keystore_filename> -alias <alias_name>

  2. Begin the enrollment process for a Java Code Signing certificate from the products and services section of the Thawte's Web site.
     
  3. Copy the contents of the CSR and paste them directly into the Thawte enrollment form. Open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

To begin the enrollment process for a Java Code Signing certificate, you can go to the Thawte Product's page.
 

Step 3: Begin Using

Import Java Code Signing Certificate

Once Thawte has verified your identity, we will send a confirmation once the certificate has been issued.

Your certificate can be downloaded via your account at the following link:

Please select the correct link below to download your certificate:

 

To import your Code Signing certificate into your keystore, enter the following code with the path correct name for your file (for example, “cert.p7b”) to your Code Signing certificate.

keytool -import -trustcacerts -keystore <keystore_filename> -alias <alias_name> -file cert.p7b

 


Bundle Applet into a JAR File

If you are Signing MIDlets please see solution SO16957 to sign using JADTool command line utilityUse jar to bundle your Applets or applications as a JAR file. This string creates a JAR file (C:\TestApplet.jar). The JAR file contains all the files under the current directory and its sub-directories.

jar cvf <filename>.jar <filename to bundle>


For example:

jar cvf testapplet.jar file1.java file2.java


Jar responds:

added manifest 
adding: TestApplet.class (in = 94208) (out= 20103)(deflated 78%) 
adding: TestHelper.class (in = 16384) (out= 779)(deflated 95%)

 

Sign Your Applet

  1. Use jarsigner to sign the JAR file with the private key you saved in your keystore.
jarsigner -keystore <keystore_filename> <path to Applet (ie. C:\TestApplet.jar)> <alias_name>


To add an RFC 3161(Sha-256) timestamp the command is specified with -tsa as described below:

Jarsigner -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp -keystore <keystore_filename> <path to Applet (ie. C:\TestApplet.jar)> <alias_name>


At the prompt, enter the password to your keystore.

Important: Thawte recommends customers must leverage SHA256 Timestamping service going forward, and should not use a SHA1 service unless there is a legacy platform constraint which doesn’t allow use of SHA2 service.

Note: The SHA-1 timestamping URL is http://timestamp.verisign.com/scripts/timstamp.dll
            (The timstamp.dll filename is required to conform to old MS-DOS naming convention).

The SHA-1 with RFC 3161 timestamping URL is http://sha1timestamp.ws.symantec.com/sha1/timestamp

The SHA-256 with RFC 3161 timestamping URL is http://sha256timestamp.ws.symantec.com/sha256/timestamp

  1. Jarsigner hashes your Applet or application and stores the hash in the JAR file created in step 5 with a copy of your Code Signing certificate.
     
  2. Verify the output of your signed JAR file.
     
    jarsigner -verify -verbose -certs d:\TestApplet.jar

If the signature has included a timestamp, the output of the verify command will include a statement when the entry was signed.

Example: [entry was signed on 7/12/15 1:28 PM]

This should also be followed with the Time Stamp Authority's (TSA) certificate chain.

When the signed JAR file is downloaded, the Java Runtime Environment will display your Code Signing certificate to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option to refuse installation.

Related Information

For more information about the use of the Java 2 Software Development Kit, go to JavaTM 2 Platform, Documentation at: http://www.oracle.com/us/technologies/java/index.html

Find Answers


Search Tips