gjarsigner - Java ARchive (JAR) file signing and verification tool
jarsigner [ OPTION
]... FILE ALIAS
When the first form is used, the tool signs the designated JAR file. The second
form, on the other hand, is used to verify a previously signed JAR file.
is the .JAR file to process; i.e., to sign if the first syntax form
is used, or to verify if the second syntax form is used instead.
must be a known Alias
of a Key Entry
designated Key Store
. The private key material associated with this
is then used for signing the designated .JAR file.
The following options may be used when the tool is used for either signing, or
verifying, a .JAR file.
- Use this option to force the tool to generate more verbose
messages, during its processing.
- When present, the tool will include --which otherwise it
does not-- the ".SF" file in the ".DSA" generated
- When present, the tool will include in the ".SF"
generated file --which otherwise it does not-- a header containing a hash
of the whole manifest file. When that header is included, the tool can
quickly check, during verification, if the hash (in the header) matches or
not the manifest file.
- -provider PROVIDER_CLASS_NAME
- A fully qualified class name of a Security Provider
to add to the current list of Security Providers already installed
in the JVM in-use. If a provider class is specified with this option, and
was successfully added to the runtime --i.e. it was not already
installed-- then the tool will attempt to remove this Security
Provider before exiting.
- Prints a help text similar to this one.
The following options may be specified when using the tool for signing purposes.
- -keystore URL
- Use this option to specify the location of the key store to
use. The default value is a file URL referencing the file named
.keystore located in the path returned by the call to
"user.home" as argument.
If a URL was specified, but was found to be malformed --e.g. missing
protocol element-- the tool will attempt to use the URL value as a
file-name (with absolute or relative path-name) of a key store --as if the
protocol was "file:".
- -storetype STORE_TYPE
- Use this option to specify the type of the key store to
use. The default value, if this option is omitted, is that of the property
"keystore.type" in the security properties file, which is
obtained by invoking the static method call "getDefaultType()"
- -storepass PASSWORD
- Use this option to specify the password which will be used
to unlock the key store. If this option is missing, the User will be
prompted to provide a password.
- -keypass PASSWORD
- Use this option to specify the password which the tool will
use to unlock the Key Entry associated with the designated
If this option is omitted, the tool will first attempt to unlock the Key
Entry using the same password protecting the key store. If this fails,
you will then be prompted to provide a password.
- -sigfile NAME
- Use this option to designate a literal that will be used to
construct file names for both the ".SF" and ".DSA"
signature files. These files will be generated, by the tool, and placed in
the META-INF directory of the signed JAR. Permissible characters
for NAME must be in the range "a-zA-Z0-9_-". All
characters will be converted to upper-case ones.
If this option is missing, the first eight characters of the ALIAS
argument will be used. When this is the case, any character in
ALIAS that is outside the permissible range of characters will be
replaced by an underscore.
- -signedjar FILE
- Use this option to specify the file name of the signed JAR.
If this option is omitted, then the signed JAR will be named the same as
FILE; i.e., the input JAR file will be replaced with the signed
The following options may be specified when using the tool for verification
- Use this option to indicate that the tool is to be used for
- This option is used in conjunction with the -verbose
option. When present, along with the -verbose option, the tool will
print more detailed information about the certificates of the signer(s)