Sign Java .jar Files Using an EV Code Signing Certificate

Use Command Jarsigner with the CLI (Command Line Interface) to sign Java .jar files

1. Create a file named eToken.cfg that contains the following lines, and save it to your JDK bin folder
(e.g. C:\\Program Files (x86)\\Java\\jdk1.7.0_05\\bin).

name=eToken
library=c:\\WINDOWS\\system32\\eTPKCS11.dll

2. In Windows Explorer, navigate to the JDK folder.

3. In the JDK folder, do the following:

• push and hold Shift

• right-click on the bin folder

• select 'Open command window here'.

4. In order to view the Sectigo EV Code Signing Certificate,as well as, the certificate alias on the token, do the following:

• Plug in your token.

• Run the following command from the command prompt:

keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken.cfg

• Enter keystore password: [enter password]

Sample output:

Keystore type: PKCS11
Keystore provider: SunPKCS11-eToken
Your keystore contains 1 entry
LWRCNIB4RGJRA8Am,
PrivateKeyEntry,
Certificate fingerprint (SHA2):

In this example, LWRCNIB4RGJRA8Am is the certificate alias that you use to sign .jar files.

To use your EV code signing certificate token to sign file.jar, do the following:

• Run the following command from the command prompt:

jarsigner -tsa http://timestamp.sectigo.com -verbose -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken.cfg 'C:\\path\\to\\file.jar' 'LWRCNIB4RGJRA8Am'

If the command executed successfully, you should see something similar to the following output:

Sample output:

Enter Passphrase for keystore:
adding: META-INF/9300JT2P.SF
requesting a signature timestamp
TSA location: http://timestamp.sectigo.com
adding: META-INF/9300JT2P.RSA
signing: Comodoca
jar signed.