jarsigner

Sign Java Archive (JAR) files

TLDR

Sign a .jar file

$ jarsigner [path/to/file.jar] [keystore_alias]

Sign a .jar file with a specific algorithm

$ jarsigner -sigalg [algorithm] [path/to/file.jar] [keystore_alias]

Verify the signature of a .jar file

$ jarsigner -verify [path/to/file.jar]

SYNOPSIS

jarsigner [options] jar-file alias
jarsigner -verify [options] jar-file [alias]

-keystore
    Location of the Java keystore

-storepass[:env|file]
    Keystore password (env or file for security)

-keypass
    Private key password

-storetype
    Keystore type (e.g., JKS, PKCS12)

-sigfile
    Name of signature file

-signedjar
    Output JAR with signed files

-digestalg
    Digest algorithm (e.g., SHA-256)

-sigalg
    Signature algorithm (e.g., SHA256withRSA)

-tsa
    Timestamping Authority URL

-tsacert
    TSA certificate alias (with -keystore)

-tsadigestalg
    TSA digest algorithm

-verify
    Verify JAR signatures instead of signing

-verbose[:]
    Verbose output (summary, all, or grouped)

-certs
    Display signer certificates during verification

-strict
    Strict compliance checks during verification

-warn
    Show warnings during verification

-sectionsonly
    Verify sections only, ignore cert chain

-protected
    Use protected mechanism for passwords

-providerName
    Cryptographic service provider name

-providerClass [-providerArg ]...
    Custom provider class and arguments

-networktimeout
    TSA network timeout

-check
    Verification check options

DESCRIPTION

jarsigner is a command-line tool from the Java Development Kit (JDK) used to generate and verify digital signatures on JAR (Java Archive) files. It enables developers to sign JARs with a private key from a keystore, ensuring authenticity, integrity, and trust for applets and applications. Signing prevents tampering and allows users to verify the signer's identity via certificates.

To sign a JAR, specify the JAR file, an alias for the key entry, and options like keystore location and passwords. Verification checks signatures against the signer's certificate chain, optionally displaying details or checking strict compliance.

Key features include support for timestamping via TSA (Time Stamping Authority), multiple digest and signature algorithms (e.g., SHA-256, RSA), and options for unsigned manifest attributes. It's essential for secure Java deployment, especially in enterprise environments requiring code signing. Runs on any platform with JDK installed, typically invoked via PATH.

CAVEATS

Requires JDK installation; passwords may be visible in process lists unless using -storepass:env/file; not suitable for unsigned JARs without -noseal; timestamping needs network access to TSA.

EXIT STATUS

0 on success; 1 on failure (e.g., invalid signature, missing keystore).

EXAMPLES

Sign: jarsigner -keystore mykeystore.jks -storepass pwd myjar.jar myalias
Verify: jarsigner -verify -verbose myjar.jar
Strict verify: jarsigner -verify -strict -verbose myjar.jar

HISTORY

Introduced in JDK 1.2 (1998) as part of Java security enhancements for signed applets. Evolved with JDK versions to support modern algorithms (SHA-2 in JDK 7+), PKCS12 keystores (JDK 9+), and stricter verification (JDK 8+). Maintained in OpenJDK for Linux distributions.