Step-by-Step Guide to Sign Java .Jar Files with A Hardware Token-Based Code Signing in Windows

We have built a comprehensive tutorial to help Java application developers to sign java .jar files through standard code signing or ev code signing certificates using hardware token.

In the ever-evolving digital landscape, ensuring the security and integrity of software is paramount. That's where hardware token-based code signing comes into play, empowering developers to safeguard their Java .jar files with an extra layer of protection.

Unlocking the potential of Java applications is a seamless process with the right tools and techniques. In this comprehensive step-by-step guide, we delve into the world of comodo code signing and sectigo code signing in Windows, revealing the intricacies of signing Java .jar files with a hardware token-based code signing certificate.

Join us on this journey as we explore the robust process that guarantees authenticity and trust, enabling you to unleash the full potential of your Java Applications with confidence.

H2: Steps to Use the CLI Command Jarsigner to Signing .jar Files

Step 1: Generate a file using the name eToken.cfg and write the follow below mentioned command lines in it, and Save it in your Java Development Kit bin folder.

For example: (C:\Program Files (x86)\Java\jdk1.7.0_05\bin).

name=eToken

library=c:\WINDOWS\system32\eTPKCS11.dll

Step 2: Open your Java Development Kit from the windows explorer console.

Step 3: Browse the BIN folder from your Java Development Kit (JDK) folder and right-click on “BIN” folder to pick the next action “Open Command window here.”

Step 4: Let’s browse the issued code signing or ev code signing certificate on the hardware token.

• Insert your hardware token into your computer machine.
• Open the command prompt and run the following set of commands in the command prompt.

  keytool -list -keystore NONE -storetype PKCS11 -providerclass

  sun.security.pkcs11.SunPKCS11 -providerArg ./eToken.cfg

  Enter keystore password: [enter password]

• The following command will extract the below mention data which will show the attached certificate in the token.

  Keystore type: PKCS11

  Keystore provider: SunPKCS11-eToken

  Your keystore contains 1 entry

  7800FA4C81523ACA, PrivateKeyEntry,

  Certificate fingerprint (SHA2):XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX

Note: The follow field from the above out put: 7800FA4C81523ACA. It is the certificate the alias which you need to sign java .jar files.

Step 5: It’s time to run the set of commands to sign .jar files using your hardware-based token code signing certificate.

jarsigner -tsa http://timestamp.sectigo.com -verbose -keystore NONE -

storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -

providerArg ./eToken.cfg "C:\path\to\file.jar" "7800FA4C81523ACA"

Note: You can change the time stamp URL from the command line based on the your certificate authority. For example, If you are using digicert code signing then you can change the URL to http://timestamp.digicert.com.

Step 6: You will see the following output once the command is hit from the command prompt.

Enter Passphrase for keystore:

adding: META-INF/7800FA4C.SF

requesting a signature timestamp

TSA location: http://timestamp.sectigo.com

adding: META-INF/7800FA4C.RSA

signing: SectigoTest.class

jar signed.

Step 7: That’s it. You have successfully signed your Java .jar files using comodo ev code signing certificate on the hardware token in Windows.