jarsigner adds a digital signature to the specified jarfile, or, if the -verify option is specified, it verifies the digital signature or signatures already attached to the JAR file. The specified signer is a case-insensitive nickname or alias for the entity whose signature is to be used. The specified signer name is used to look up the private key that generates the signature.
If you encounter the below error while running the jarsigner command:
jarsigner: command not found
you may try installing the below package as per your choice of distribution.
| Distribution | Command |
|---|---|
| Debian | apt-get install gcj-4.7-jdk |
| Ubuntu | apt-get install openjdk-12-jdk-headless |
| Arch Linux | pacman -S java-environment-common |
| Kali Linux | apt-get install openjdk-11-jdk-headless |
| Fedora | dnf install java-9-openjdk-devel-debug-1 |
| Raspbian | apt-get install openjdk-8-jdk |
Command Options
| Option | Description |
|---|---|
| -certs | If this option is specified along with either the -verify or -verbose option, it causes jarsigner to display details of the public key certificates associated with the signed JAR file. |
| -J javaoption | Passes the specified javaoption directly to the Java interpreter. |
| -keypass password | Specifies the password that encrypts the private key of the specified signer. If this option is not specified, jarsigner prompts you for the password. |
| -keystore url | A keystore is a file that contains keys and certificates. |
| -sigfile basename | Specifies the base names of the .SF and .DSA files added to the META-INF/ directory of the JAR file. |
| -signedjar outputfile | Specifies the name for the signed JAR file created by jarsigner. |
| -storepass password | Specifies the password that verifies the integrity of the keystore (but does not encrypt the private key). If this option is omitted, jarsigner prompts you for the password. |
| -storetype type | Specifies the type of keystore specified by the -keystore option. |
| -verbose | Displays extra information about the signing or verification process. |
| -verify | Specifies that jarsigner should verify the specified JAR file rather than sign it. |
jarsigner Command Examples
1. Sign a JAR file:
# jarsigner path/to/file.jar keystore_alias
2. Sign a JAR file with a specific algorithm:
# jarsigner -sigalg algorithm path/to/file.jar keystore_alias
3. Verify the signature of a JAR file:
# jarsigner -verify path/to/file.jar
4. Sign a .jar file by multiple users:
$ jarsigner test.jar geek ## User geek signs it $ jarsigner test.jar geeky ## User geeky signs it
Conclusion
jarsigner command signs or verifies .jar files. Adding a digital signature to a .jar file improves its security, since changing the contents causes the signature to become invalid. jarfile is the original file to be signed; alias is a recognized alias for the identity of the signer. By default, the jarsigner replaces the original file with the signed one. This can be changed with the -signedjar option.