We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


How to sign JAR Files ?

datadesign asked
Medium Priority
Last Modified: 2013-11-23
i need detailed information how to build jar files, and then how to sign them with my verisign certificate...
(my .class files r in some different packages, and in the jar file is no information stored about the relative path !... i used jar-packager !)
thxs in advance
Watch Question


There is a detailed step-by-step description at:


If you already have a certificate and a .jar file,
you've already got the hard parts taken care of.

You'll generate your id, create the certificate
directive, create the DSA public/private key pair
and sign your jar file.  Then you rename it to .jar.
Take a look at the URL above, and you'll see exactly
what you need to do.  Your Verisign certificate
will be your certificate directive.

Hope that helps,



i need informations about jar packager ! cause it is very awful to create jar files 'by hand' if u have over 200 classes in different directories.

What is jar-packager?
Jar is like pkzip or unix tar.

It stores all the directories information thus, instead of a BIG copy&paste just check the following URL:

As for signing JAR files:


Jar Packager is a Java Program from Netscape, which can sign jar files, but i have problems using it....
I wouldn't recomend Jar Packager, as it is full of bugs. Zigbert, the command-line tool, which is also from Netscape is both faster to use and more reliable. But anyway I've been able to sign with Jar Packager if I do the following steps:

1. Start a new session of Netscape and open Jar Packager
2. Click on "Add File"
3. Double click on the class which you want to add into the jar
4. Click on "Add File"
5. Click on "Done"
6. Select all files and click on sign
7. Save your jar from File|Save

Now you should check if the jar contains the following files:
META-INF/xxxxxxxx.SF    (the name of these two files varies
META-INF/xxxxxxxx.RSA   depening on what your certificate is
(and your classes :-)

Note: your certificate must be a object signing certificate otherwise it won't work



Yep, i did that, but i have the problem, that my .class files are in packages, and when i add files to the jar, the jar packager saves the absolut path from the files, but i need the relative ones (e.g. \packages\myone\ not c:\packages\myone\ ) i think that is also the reason, why the webbrowser, didn't find the classes.
do u know how to solve that problem ?

Hmmm, I had the same problem trying to use a .zip file built by WinZip - I finally solved it by using the Macintosh program ZipIt, which allows explicitly specification of paths...
I believe your problem might have something to do with using packages inside JAR files.

JAR files are intended to behave in a tar/zip like fashion, only with the no compression flag on. That is, they create something akin to a package that can be loaded a lot faster not due to compression, but rather to the fact that you save considerably more time on the server (listener, socket open and close, etc.) when downloading one big file than what you load several smaller ones.

A package is actualy a naming convention that allows you to quickly find a file inside a packed (somwhat compressed) directory structure.

The problem seems to arrise when you combine both JAR and package  in the same file, Java can't figure out how to take care of it.

I ran into something like this back in 1.1, I had an app that worked fine without packages in a JAR file or with packages and no JAR, but not both.

In my apps case, I downloaded a JAR archiver from Gamelan (Sorry, don't rember which one) and that solved the problem. Evrything else I have written recently have been CORBA/JDBC apps so I haven't realy tried to figure out exactly what the problem is.

As far as I was able to determine the problem though, JAR files NEED a path to resolve (i.e.: a physicaly exsisting file), packages contain files (and dir structures) so the JAR extraction mechanism fails; so when you construct the JAR file, you need to specify in some fashion the paths to the files contained in the package. In escense, what russgold did.


use ZIP.EXE, included with the zigbert download from Netscape.
for example your root package is MyPackage. in directory C:\MyPackage
From c:\ run "ZIP -r MyJar.jar MyPackage"
This can then be signed by zigbert. Don't use Sun's tools for this since the generated signature-file is different , i.e. unreadable by NN4.0


Zipping is now clear, but how do i sign a .jar file with zigbert ? when i try to sign a .jar file with zigbert, it says, that there is no metafile !!! (i already defined the -d and the -k option with correct path and name) ?!!!?
The way in which the JavaKey command with options can be used to sign a JAR file is described as follows.

javakey can be used to sign and verify JAR files. (Note; verification is not yet implemented.) Java licensees are expected to honor the ignature generated using javakey.

At this time, javakey can sign the JAR file using DSA (Digital Signature Algorithm) or, in some cases, the MD5/RSA algorithm. That is,if the signer's public and private keys are DSA keys, javakey will sign the JAR file using DSA. If the signer's keys are RSA keys, javakey will try to sign the JAR file using the MD5/RSA algorithm. This is only possible if there is a statically installed provider supplying an implementation for the MD5/RSA algorithm.

For both the DSA and MD5/RSA algorithms, anyone who wants to sign files has both a public key and a private key. The private key is
used for signing, and a certificate of the public key is included in the signature file (in a PKCS #7 block).

Signing JAR Files
Signing a JAR file involves generating a signature for a given signer and including that signature in a given JAR file. It requires the signer to be in the database managed by javakey, along with an associated key pair and at least one X.509 certificate. Like certificate generation, generating a signature is directive-based. Each directive file contains a signer profile. A sample directive file might look like this:

        # JAR signing directive. This is the directive file used by javakey to
        # sign a JAR file.

        # Which signer to use. This signer must be in the database.


         # Certificate number to use for this signer. This determines which
         # certificate will be included in the PKCS#7 block. This is mandatory
         # and is 1-based. Its value should be the number that javakey
         # previously assigned to the signer's certificate when it generated it
         # (or imported it). You can see which numbers javakey assigns
          # to certificates by viewing the output of the
          # -ld or -li javakey option.


          # Certificate chain depth of a chain of certificates to include. This is
          # currently not supported.


          # The name to give to the generated signature file and associated signature
          # block. This must be 8 characters or less.
          # The generated signature file and associated signature block will have
          # this name, with the .SF and .DSA extensions, respectively.
          # In this example, the files will be DUKESIGN.SF and DUKESIGN.DSA.


          # (Optional) The name to give to the signed JAR file.


          Once the JAR file and the directive file have been created, the javakey command to sign a JAR file can be used. It is:
              javakey -gs directivefile jarfile

          where directivefile is the name (and path) of the directive file, and jarfile is the name (and path) of the JAR file.

The output of this command is a signed JAR file whose name will be the name specified by the value of the out.file property, if any,specified in the directive file. If there is no out.file property, the signed JAR file name will be the same as that of the initial JAR file,but with the suffix .sig.

The generated .SF and .DSA files will be added to the JAR file, in a META-INF directory. If the base name for these files is DUKESIGN,as in the example above, the files added will be:


Any files with these names in the signed JAR file will be overwritten.


Note: options may be specified with or without a preceding minus sign (-). Only one option may be specified per javakey command.

     -c identity {true|false}
          Creates a new identity with database username identity. The optional true or false designation specifies whether or not the identity is to be
          considered trusted. (The default is false.) For example, the following creates an identity named jane, and specifies that she is trusted:

              javakey -c jane true

     -cs signer {true|false}
          Creates a new signer with database username signer. The optional true or false designation specifies whether or not the signer is to be
          considered trusted. (The default is false.)

     -t idOrSigner {true|false}
          Sets (or resets) the trust level for the specified identity or signer.

          Lists the usernames of all entities (identities and signers) in the database managed by javakey.

          Lists and provides detailed information about all entities in the database managed by javakey.

     -li idOrSigner
          Provides detailed information about the specified identity or signer.

     -r idOrSigner
          Removes the specified identity or signer from the database.

     -ik identity keysrcfile
          Imports the public key in the file keysrcfile, associating it with the specified identity. The key must be in X.509 format.

     -ikp signer pubfile privfile
          Imports the key pair (the public key in the file pubfile and the private key in the file privfile), associating them with the specified signer. The
          keys must be in X.509 format.

     -ic idOrSigner certsrcfile
          Imports the public key certificate in the file certsrcfile, associating it with the specified entity (identity or signer). If a public key has already
          been associated with the entity in the datase, javakey ensures that it is the same as the public key certified in certsrcfile, and will report an
          error if they're not the same. If the entity does not yet have a public key associated with it, javakey will create the association, using the public
          key in certsrcfile.

     -ii idOrSigner
          Sets information for the specified identity or signer. After you type in an "import information" command such as

              javakey -ii jane

          you will be instructed to type as many lines of information you want to supply for jane, ending with a line containing a single period to signal the
          end of the information.

     -gk signer algorithm keysize {pubfile} {privfile}
          Generates a key pair (a public key and associated private key) for the specified signer using the specified algorithm, generating keys of length
          keysize bits. If a file pubfile is specified, the public key will be written to that file. If, in addition, a file privfile is specified, the private key will
          be written to that file. Do the latter with great care; private keys must remain private or your security system is compromised.

          The keysize limits for the algorithm, if any, are those described in Appendix B of the Java Cryptography Architecture API Specification &

          Note: javakey can always generate DSA (Digital Signature Algorithm) keys. It can generate keys for a different algorithm only if (1) the
          specified name is a standard key generation algorithm name such as RSA, and (2) there is a statically installed provider supplying an
          implementation for the specified key generation algorithm.

          Please note that there is no way to supply algorithm-specific key generation parameters, such as the p, q, or g parameters for the DSA

     -g signer algorithm keysize {pubfile} {privfile}
          Shortcut for the -gk command to generate a key pair for the specified signer.

     -gc directivefile
          Generates a certificate according to information supplied in the directivefile. See Generating a Certificate.

     -dc certfile
          Displays the certificate stored in the file certfile. See Certificates and Files.

     -ec idOrSigner certnum certoutfile
          Exports the certificate numbered certnum from the specified idOrSigner to the file certoutfile. The certificate number must be the number that
          javakey previously assigned to the certificate when it generated it (or imported it). To see which numbers javakey assigns to certificates, view
          the output of the -ld (for all entities) or -li (for a particular entity) option.

     -ek idOrSigner pubfile {privfile}
          Exports the public key for the specified identity or signer, and optionally the private key (for a signer), to the specified file(s). The keys are
          encoded in X.509/DER format.

     -gs directivefile jarfile
          Signs the specified JAR (Java ARchive) file according to information supplied in the directivefile. See JAR Files and Digital Signatures.


     To create a trusted identity called jane and a trusted signer called joe, use the following commands:

         javakey -c jane true
         javakey -cs joe true

     Suppose jane sends her public key by email to joe and he stores the key in the file named \tmp\jane_pubkey. It must be encoded in X.509/DER
     format. To import and associate that key with jane's identity in the persistent database managed by javakey, joe (or a system administrator) enters
     the following command:

         javakey -ik jane \tmp\jane_pubkey

     Let's also assume joe has a public and private key pair that he used in another context. He now wants to associate that key pair with his own
     username identifier in the database. He does this with the following command, assuming that the public key is stored in \tmp\joe_pubkey and the
     private key in \tmp\joe_privkey:

         javakey -ikp joe \tmp\joe_pubkey \tmp\joe_privkey

     The keys must both be in X.509 format. They must be for the same algorithm, of course.

     To generate a new key pair for joe instead of using an existing key pair, the following command could be used:

         javakey -gk joe DSA 512 \tmp\joe_pubkey

This command creates a DSA key pair, with 512-bit keys, and associates it with joe. The -gk command also optionally saves a copy of the public key in a file. The example uses the file \tmp\joe_pubkey. One reason joe might want to save the public key in a file is so that he can mail a copy of
     it to jane or anyone else who needs it (e.g., to verify joe's digital signatures of files). This command also optionally lets joe specify a file to which to save the private key, if needed. However, saving the private key to a file should be done with great care.

     Before joe can sign any files, he must have one or more certificates associated with him, authenticating his public key. In order to generate a certificate for him, a directive file must first be created, specifying various information about joe and about the certificate issuer, the certificate's validity dates, etc. Suppose such a file has been generated (see Certificates), and its name is joeCertDirectiveFile, in the \tmp\ directory. A certificate for joe can then be generated by the command

         javakey -gc \tmp\joeCertDirectiveFile

As described in JAR Files and Digital Signatures, signing a JAR file also requires the use of a directive file providing information required for the signature, such as the signer name and the number of the certificate to use for that signer. The command to sign the JAR file named jarfileA.jar,using the directive file joeJarDirectiveFile is:

         javakey -gs joeJarDirectiveFile jarfileA.jar

Hope it helps you out...


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.