Digitally sign a jar file for distribution?

Similar Messages

• Is it possible to digitally sign a jar file that will be used to install CF in WebSphere?

  I am currently working for a contractor for the DoD. We are maintaining a project that uses CF installed as an application through WebSphere. We are currently going through a security checklist and being asked to provide evidence that the CF application has a digital signature. From what we can gather they are looking to see that the jar file installed into WebSphere is digitally signed. We have reached out to IBM, and have received a response that digital signatures are recognized by WebSphere.
  Unfortunately, it seems that those that are looking for the evidence do not know much more than what the checklist requirement states. They cannot provide more details or expand on what they need. Any assistance or advice in this matter would be appreciated.
  Thanks,

  Masterkeedu wrote: !! It worked.
  Congratulations. :-)
  Masterkeedu wrote: So it's not certified, but is signed.
  So as I understand this, it means the end-user has no way to know it was me that truly signed it. But relies on their common sense I suppose.
  That is correct. The CA has verified, and is certifying, that you are who you claim to be. If you or I use a 'self signed' certificate, it does not carry the same level of trust. As you might understand already, the dialogs are different between the two certificate types, and some users cannot accept trusted code from an unverified (self-signed) certificate.
  I have been meaning to write a page on the differences between the two certificates. It is well worth looking into getting a cert. from a CA.
  There was a stage when one of the major CAs were offering 'freemail' certificates that came emblazoned not with your name, but 'free mail' itself. I did not like them because of that, and continue to use a self-signed certificate.

• JAR Files for Distribution; Analogous to EXE?

  Hi everyone,
  I understand what JAR files are from the reading I've done, but I wonder, if I want to share my built program with others is JAR the only way to go, or the most common way? If not, what is?
  Can the use of JAR files be said to be analogous to the EXE type in Windows?
  Thanks!

  Based on my experience, the jar file is the only way to go. I have downloaded and used numerous jar files from other people; I have never ever used one of those EXE wrappers that people seem to be so fixated on. So yes, it's certainly the most common way of distributing Java software.

• Jar files for Didgital Signing

  Hi All,
  I have a requirement where I need to Access to Keystore for Digital signing an XML payload. I am using the example in the SAP help link - Link: [Using Digital Signatures|http://help.sap.com/saphelp_nw04s/helpdata/en/a4/d0201854fb6a4cb9545892b49d4851/frameset.htm] 
  I have already imported the following jar files (aii_af_cci.jar,aii_af_cpa.jar,aii_af_mp.jar, aii_af_ms_api.jar, aii_af_ms_spi.jar, aii_af_svc.jar, aii_af_trace.jar, aii_security_lib.jar, aii_security_interface.jar, iaik_jce.jar, tc_sec_ssf.jar).
  The code has the following import statements:
  import com.sap.aii.af.mp.module.*;
  import com.sap.aii.af.ra.ms.api.*;
  import com.sap.aii.af.mp.module.*;
  import com.sap.aii.af.ra.ms.api.*;
  import com.sap.aii.af.service.auditlog.*;
  import com.sap.aii.af.service.resource.SAPSecurityResources;
  import com.sap.aii.security.lib.KeyStoreManager;
  import com.sap.aii.security.lib.PermissionMode;
  import com.sap.security.core.server.ssf.SsfProfileKeyStore;
  import com.sap.security.api.ssf.ISsfProfile;
  import java.io.UnsupportedEncodingException;
  But even after the above imports I am still getting errors in resolving the following variables in the code.
    KeystoreManager
    keyStore
  What are import statements or jar files I am missing? and where can i find those jar files for making the example work?
  Thanks and Regards,
  Arunava
  Edited by: Arunava Das on Jun 6, 2008 7:05 PM

  Hi All,
  Im working on code which has
  import com.sap.security.api.ssf.ISsfProfile
  But i couldn't find the jar file for that. I think the the package is "com.sap.security.api.ssf".
  Please help me out, where can i get that jar file...?
  Warm Regards,
  DNK Siddhardha.

• Signing a jar file

  Guys, I've googled the crap out of this one. I need some help signing a jar file.
  Here is what I'm doing:
  1. Generating a key:
  keytool -genkey -keystore myKeyStore -alias myName2. Trying to sign the jar file:
  jarsigner -keystore myKeyStore -storepass myPassword -keypass myNamePassword myJar.jar myNameHere is the error I'm getting:
  jarsigner error: java.lang.RuntimeException: keystore load: Invalid keystore formatI'm using Ubuntu Linux.
  I wrote and built my project with Netbeans.
  Any ideas?

  Here is what the latest process looks like. What am I doing wrong?
  thomasaaron@ubuntu:~/Desktop$ keytool -genkey -alias thomasaaron -keystore myKeyStore
  Enter key store password: password1
  Enter key password for <thomasaaron>: password2
  You are about to enter information that will be incorporated into
  your certificate request. This information is what is called a
  Distinguished Name or DN. There are quite a few fields but you
  can use supplied default values, displayed between brackets, by just
  hitting <Enter>, or blank the field by entering the <.> character
  before hitting <Enter>.
  Common Name (hostname, IP, or your name): Thomas Aaron
  Organization Name (company) [The Sample Company]: Tom's Company
  Organizational Unit Name (department, division): Tom's Department
  Locality Name (city, district) [Sydney]: TommyLand
  State or Province Name (full name) [NSW]: Colorado
  Country Name (2 letter code) [AU]: US
  thomasaaron@ubuntu:~/Desktop$
  thomasaaron@ubuntu:~/Desktop$
  thomasaaron@ubuntu:~/Desktop$ jarsigner -storepass password1 -keystore myKeyStore SupportManager.jar thomasaaron
  jarsigner error: java.lang.RuntimeException: keystore load: Invalid keystore format

• How to sign multiple jar files using the same certificate..?

  hi,
  I want to run my application using Java Web Start.. i am using around 16 different jar files out of which around 13 are 3rd party component jars. I want to sign these jars using the same certifcate..., i am using the follwing code to sign the jars:
  (for the jar file ischeduler.jar)
  keytool -genkey -alias signFiles91 -keystore dtss -keypass dtss1351 -dname "cn=dtss" -storepass decisioncraft
  jarsigner -keystore dtss -storepass decisioncraft -keypass dtss1351 -signedjar signedischeduler.jar ischeduler.jar signFiles91
  keytool -export -keystore dtss -storepass decisioncraft -alias signFiles91 -file ischeduler.cer
  keytool -import -alias DCA2 -file ischeduler.cer -keystore Impischeduler -storepass ischeduler
  (for the jar file ischedulerclient.jar)
  keytool -genkey -alias signFiles92 -keystore dtss -keypass dtss1351 -dname "cn=dtss" -storepass decisioncraft
  jarsigner -keystore dtss -storepass decisioncraft -keypass dtss1351 -signedjar signedischedulerclient.jar ischedulerclient.jar signFiles92
  keytool -export -keystore dtss -storepass decisioncraft -alias signFiles92 -file ischeduler.cer
  keytool -import -alias DCA3 -file ischeduler.cer -keystore Impischeduler -storepass ischeduler
  but when i use the above signed jars in my application i get an error saying:
  "jars not signed by the same certificate"
  can someone plz tel me wher is the error....thanx
  andy

  Well for mulitple signing of jar files you can use ANT tool. Its easier and faster.
  Regarding the present problem -- hmm.. well it looks like you are using 2 different alias names for signing the jar file. Try using the same alias name and that might solve your problem.
  regards
  Saby

• Webstart : sign a jar file

  I have a desktop app that has to access local data files as well as network database server. At the moment, I have a executable jar file now when I try to run it with Webstart it complains about unsigned jar file asking for full access on a file. what do i need to sign a jar file. the jar file as is will work when someone double clicks the file icon but if the computer is not set up for java to open jar files, most likely if you have winzip , it will open the jar file. So other than the sdk what else do i need
  Thanks in advance

  thanks that was helpfull , but, I found a page on the suns web page which i found using another serch engine . I couldnt find it by searching this website.
  I apprectiat you taking the time, thanks

• Help Signing a JAR File

  I currently have the j2sdk1.4.2_04 and j2re1.4.2_04 installed on my computer along with NetBeans 3.6. Do I need any other tools to be able to sign JAR files? Many websites say that I need "jarsigner" utility bundled along with JDK1.2/1.3 and "keytool" utility bundled along with JDK1.2/1.3. Is this true? Where can I get the appropriate files to download so that I can proceed?

  If you have the j2sdk installed, you already have the jarsigner and keytool utility programs. You don't need any other tools to sign JAR files.
  Instructions for generating keys and signing a jar file can be found from the security tutorial: http://java.sun.com/docs/books/tutorial/security1.2/toolfilex/sender.html

• Signing of jar file

  Does it require to be sign the jar file only by a certificate authority?
  Will the self signed jars work in final deployment if the user trusts and is OK with it? (or the self signed is only for testing).

  Yes, self-signed jars will work in final production, if the user is willing to trust you. Keep in mind that the user will get a message specifically recommending that they not trust you.
  Chris

• Signing webutil jar files

  We are making a install package for our developers here for 10.1.2 forms. We would like to add the final signing of the jar files to the script so after the install is done the developers dont have to do anything to get going. Can we just sign the frmwebutil.jar and jacob.jar once and make them part of the install package for everyone or do those jar files have to be signed on each individual pc? The key is set in sign_webutil.bat and everybody is using the same default key anyway when they do a manual install.

  What Im doing is making and an enterprise wide install package for Developer Suite which allows the Developers to click a button and oracle Forms Developer suite will get installed on their pc with the latest patch 10.1.2.2. Someone asked me if we could incorporate the final step of signing the jar files iin the install package so the developers dont have to do that after the install is done. So, I can either write the script so that the two jar files are signed on each pc after the install done or I can just sign them now on my pc, put them in the install package and deploy them to each developer already signed. It would be simpler to just sign them once and give them to each develolper. Will that work or do the jar files have to be signed on each pc after they are deployed. Like I said, when the developers do a manual install of developer suite everybody uses the default key in the sign_webutil.bat file anyway.

• Problems Signing a Jar File.

  Hi Everyone
  I'm having problems signing a jar file.
  The applet in the jar file was previously signed by Duke.
  Now I want to re-sign it with my company name.
  So I unzip the jar file. I was careful to remove the manifest and the Duke .sa and .rsa. I re-signed it with the netscape signtool.
  The applet works. It presents the prompt that it is signed by my company. I grant session. Then another prompt appears and it says it is signed by duke.
  but i was careful to remove the duke signature and manifest file when i unzipped it. Is it possible that the fact that it is signed by duke is stored in the bytecode ??
  It is using the <object tag by the way.
  <OBJECT classid="clsid:CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA"
       WIDTH = "100%" HEIGHT = "50" border="0"
       codebase="http://www.homework911.com/java/j2re-1_3_1_02-win.exe#Version=1,3,1,2">
       <PARAM NAME = "CODE" VALUE = "com.s.SApplet"/>
       <PARAM NAME = "CODEBASE" VALUE = "/_phone"/>
       <PARAM NAME = "type" VALUE="application/x-java-applet;version=1.3"/>
  stev

  great suggestion - there are no other signed jar files on the browser for it to access. There is a winzip file but it has no rsa/dsa and signature file in it.
  perhaps it is accessing something else that was signed by duke ?
  Would it be possible for it to connect to a server program that was signed by duke and therefore present the prompt. ?
  I'm trying to get the original unsigned classes and see if i can recompile and sign it just in case then name duke is in byte code.
  any other thoughts as to what this code be ?
  stephen

• How to make .jar file for a multiple class program

  I have a code for a chat room that contains two folders , one for Server and one for Client
  What I need is to create a jar file for the server and a jar file for the clients
  but here the first problem , I have a file that named (SocketMessengerConstants.class) that is located outside the two folders and is being read by the two projects .
  I mean the server uses it while running and the client uses it too .
  the second problem is : I don't know how to create a jar file at all !
  please tell me how to do it in detail
  Thank you

  ChuckBing wrote:[Packaging Programs in JAR Files|http://java.sun.com/docs/books/tutorial/deployment/jar/index.html]
  I tried to read this tutorials before I come here but I couldn't understand it
  can you please tell me a specific steps to follow instead of the explaining .. because I understand the explanation but I can't apply it

• How to create a .jar file for the BPEL project

  hi all,
  how can i create a .jar file for my BPEL project, i am trying to deploy the project but getting an error :
  "Error: [Error ORABPEL-10902]: compilation failed [Description]: in "C:\OraBPELPM\integration\jdev\jdev\mywork\Workspace_BPELDemo\BPEL_Report\BPEL_Report.bpel", XML parsing failed because "". [Potential fix]: n/a. "
  and when doubel cliking on this error Jdev take me to the beginning of the ".bpel" file.
  I 'm really stuck in here i am not able to deploy the process!
  Thanks,
  Rana

  Rana:
  If you haven't already, I would post this question in the BPEL forum. I would expect a much better turnaround there.
  Johnny Lee

• Virus scan failed Error on deploying a web application having a jar file for calling the applet on the jsp page

  Hi,
  I have an applet application that i want to deploy on the Oracle cloud.
  So i have created a jar file for the applet application and i am using this jar to call the applet on a jsp page.
  But when i am delpoying my application on the java cloud, its giving me the below error:
  2014-10-28 03:16:41 CDT: Starting action "Virus Scan"
  2014-10-28 03:16:41 CDT: Virus Scan started
  2014-10-28 03:16:49 CDT: ----------------------------------------------------------------------
  2014-10-28 03:16:49 CDT: File Scanned: "Application7.ear".
  2014-10-28 03:16:49 CDT: File Size: "106698122".
  2014-10-28 03:16:49 CDT: File Status: "INFECTED".
  2014-10-28 03:16:49 CDT: ----------------------------------------------------------------------
  2014-10-28 03:16:49 CDT: Virus scan failed.
  2014-10-28 03:16:49 CDT: "Virus Scan" complete: status FAILED
  Can't we deploy any application having applet or swing component's onto the cloud?
  Or do we need to request for any extra permissions for the same?
  Thanks,
  Manoj

  I don't see applets mentioned in the supported features nor in the unsupported features so not sure if they are supported you would likely need to contact the operations team to confirm.
  Jani Rautiainen
  Fusion Applications Developer Relations
  https://blogs.oracle.com/fadevrel/

• Include an in-memory jar file for JSR-199 compilation

  I want to compile a source file in memory, which requires a jar file that is also represented in memory. I used the JavaSourceFromString class recommended in the documentation for the class JavaCompiler and in a demo I found online that shows how to compile sources represented as String in memory. To represent the jar file, I used a similar trick to JavaSourceFromString:
  public class JarJavaFileObjectFromByteArray extends SimpleJavaFileObject {
     * The contents of this jar file.
    private final byte[] contents;
     * Constructs a new JarJavaFileObjectFromByteArray given the name and binary
     * contents of a jar file.
     * @param name the name of this jar file
     * @param contents the contents of this jar file
    public JarJavaFileObjectFromByteArray(String name, byte[] contents) {
      super(newURI(name), Kind.OTHER);
      this.contents = contents;
    ... // code not shown ensures that the URI returned from newURI is of the form,
        // for instance, bytes:///MathConstants.jar, if the name of the jar file is MathConstants.jar
    @Override
    public InputStream openInputStream() throws IOException {
      return new ByteArrayInputStream(contents);
  }However, I do not know how to alert the compiler that this jar file should be on the classpath. I tried this:
  List<String> options = Arrays.asList(" -classpath bytes:///MathConstants.jar ");
  CompilationTask task = compiler.getTask(null, fileManager, null, options, null, compilationUnits);but I get the following error when calling getTask:
  java.lang.IllegalArgumentException: invalid flag: -classpath bytes:///MathConstants.jarI assume there is some way to tell the compiler, "look at the MathConstants.jar file that I am storing in memory when searching the classpath", but I do not know how to do this. I assumed that the options parameter for getTask represents command-line flags that would be passed to the compiler if this were happening on the command line (such as "-cp .", which also does not work), but perhaps this assumption is wrong.

  Hi Bruce,
  I have a question regarding loading a jar file by the compiler to dynamically compile with a source file. I hope you can probably offer me an idea on what has been missing or wrong with the source codes I have written for my application.
  I am using Eclipse compiler to dynamically compile a class. In the class, I want it to make a reference to a jar file for compilation dynamically.
  Here is the source of a test class I wrote:
  import javax.servlet.http.HttpServlet;
  class MyServlet extends HttpServlet {
  }The import statement refers to the class javax.servlet.http.HttpServlet from the jar file C:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\lib\\servlet-api.jar placed in the file system.
  In the method called compileClass (shown below), I used the path of the jar file to add to the option -classpath as you suggested.
       private static CompileClassResult compileClass(Writer out, String className, String classSource) {
            try {
                 JavaCompiler javac = new EclipseCompiler();
                 StandardJavaFileManager sjfm = javac.getStandardFileManager(null, null, null);
                 SpecialClassLoader scl = new SpecialClassLoader();
                 SpecialJavaFileManager fileManager = new SpecialJavaFileManager(sjfm, scl);
                 List<String> options = new ArrayList<String>();
                 options.addAll(Arrays.asList("-classpath", "C:\\Program Files\\Apache Software Foundation\\Tomcat 6.0\\lib\\servlet-api.jar"));
                 List<MemorySource> compilationUnits = Arrays.asList(new MemorySource(className, classSource));
                 DiagnosticListener<JavaFileObject> diagnosticListener = null;
                 Iterable<String> classes = null;
                 if (out == null) {
                      out = new PrintWriter(System.err);
                 JavaCompiler.CompilationTask compile = javac.getTask(out, fileManager, diagnosticListener, options, classes, compilationUnits);
                 boolean res = compile.call();
                 if (res) {
                      //Need to modify the api to return an array of two elements - one classes and other bytecodes for all classes in the same class file.
                      return CompileClassResult.newInstance(scl.findClasses(), scl.findByteCodes());
            } catch (Exception e) {
                 e.printStackTrace();               
            return null;
       }I also extended the class ForwardingJavaFileManager as you suggested and have it delegated to the StandardJavaFileManager sent to the compiler mentioned in the method compileClass above. The extended class (called SpecialJavaFileManager) is as follows:
  public class SpecialJavaFileManager extends ForwardingJavaFileManager<StandardJavaFileManager> {
       private SpecialClassLoader xcl;
       public SpecialJavaFileManager(StandardJavaFileManager sjfm, SpecialClassLoader xcl) {
            super(sjfm);
            System.out.println("SpecialJavaFileManager");
            this.xcl = xcl;
       public JavaFileObject getJavaFileForOutput(Location location, String name, JavaFileObject.Kind kind, FileObject sibling) throws IOException {
            System.out.println("getJavaFileForOutput");
            MemoryByteCode mbc = new MemoryByteCode(name);
            xcl.addClass(name, mbc);
            return mbc;
       public Iterable<JavaFileObject> list(JavaFileManager.Location loc, String pkg, Set kinds, boolean recurse) throws IOException {
            System.out.println("list ");
          List<JavaFileObject> result = new ArrayList<JavaFileObject>();
          for (JavaFileObject f : super.list(loc, pkg, kinds, recurse)) {
               System.out.println(f);
              result.add(f);
            return result;
  }I run the application and the result shows that it didn't load the jar file into the memory as expected. From the output (below) I got, it doesn't seem to invoke the method list(...) in the class SpecialJavaFileManager.
  SpecialJavaFileManager
  1. ERROR in \MyServlet.java (at line 1)
       import javax.servlet.http.*;
              ^^^^^^^^^^^^^
  The import javax.servlet cannot be resolved
  2. ERROR in \MyServlet.java (at line 3)
       class MyServlet extends HttpServlet {
                               ^^^^^^^^^^^
  HttpServlet cannot be resolved to a typeWould you please let me know what has possibly be missing or wrong?
  Thanks.
  Jonathan
  Edited by: jonathanlam on Aug 10, 2009 6:47 PM