Categories: OpenJDK, Security

Basic OpenJDK JAR File Signature Verification

I was recently exploring JAR file verification and found this post Verifying Signed JAR Files (The Java™ Tutorials > Deployment > Packaging Programs in JAR Files) explaining how The jarsigner Command (which is different from the JarSigner (Java SE 25 & JDK 25) API) can be used to verify a signed JAR file. JarSigner is implemented as a java program implemented as a Java program (that calls the void verifyJar(String jarName) method).

Verifying a JAR File

Verifying Signed JAR Files states that the basic command to use for verifying a signed JAR file is jarsigner -verify jar-file. The jarsigner Command adds that when the -strict option is specified, it constructs the exit code depending on which checks failed. We can check the exit code using echo $? in bash. For example, I get exit code 16 for my unsigned JAR file with --strict but exit code 0 without it.

cd /c/repos/factorize/java/project
time mvn package

export JAVA_HOME=/d/java/binaries/jdk/x64/2026-04/windows-jdk25u/jdk-25.0.3+9

$JAVA_HOME/bin/jarsigner -verify -strict target/factorize-1.0.0-jar-with-dependencies.jar

echo $?

Creating Keys for Signing a JAR File

My next question was how to create keys for signing my java JAR file. The JFrog Security Keys Management page mentioned the keytool-Key and Certificate Management Tool (see newer docs at The keytool Command). The keytool command below from the older article…

mkdir mykeys/

$JAVA_HOME/bin/keytool -genkeypair \
 -dname "cn=Saint Wesonga, ou=Java, o=Microsoft, c=US" \
 -alias business \
 -keypass kpi135 \
 -keystore mykeys/mykeystore \
 -storepass ab987c -validity 180

… output:

Warning:  Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -keypass value.
keytool error: java.lang.Exception: The -keyalg option must be specified.

So I used this command, which is similar to the newer keytool Command example:

$JAVA_HOME/bin/keytool -genkeypair \
 -dname "cn=Saint Wesonga, ou=Java, o=Microsoft, c=US" \
 -alias business \
 -keystore mykeys/mykeystore \
 -storepass ab987c -validity 180 \
 -keyalg DSA

The output from this command was:

Generating 2048-bit DSA key pair and self-signed certificate (SHA256withDSA) with a validity of 180 days
        for: CN=Saint Wesonga, OU=Java, O=Microsoft, C=US

Signing a JAR File

Next, look at the Example of Signing a JAR File in the jarsigner Command docs.

$JAVA_HOME/bin/jarsigner \
 -keystore mykeys/mykeystore \
 -signedjar target/factorize-1.0.0-signed-jar-with-dependencies.jar \
 target/factorize-1.0.0-jar-with-dependencies.jar business

Its output is:

Enter Passphrase for keystore:

jar signed.

Warning:
The signer's certificate is self-signed.
POSIX file permission and/or symlink attributes detected. These attributes are ignored when signing and are not protected by the signature.

Article info

Categories

Leave a Reply

Your email address will not be published. Required fields are marked *