Jarsigner signs and verifies Java Archive (JAR) files. The JAR feature enables the packaging of class files, images, sounds, and other digital data in a single file for faster and easier distribution. The Jarsigner tool is used to sign Java Archive (JAR) files, and also to verify the integrity of the signature on a JAR file. To generate an entity's signature for a file, the entity must first have a public/private key pair associated with it and one or more certificates that authenticate its public key. A certificate is a digitally signed statement from one trusted entity that says that the public key of another entity has a particular value.
The Jarsigner command uses key and certificate information from a keystore to generate digital signatures for JAR files. A keystore is a database of private keys and their associated X.509 certificate chains that authenticate the corresponding public keys. The keytool command is used to create and administer keystores. Jarsigner uses an entity's private key to generate a signature, which is then attached to the JAR file. The signed JAR file contains, among other things, a copy of the certificate from the keystore for the public key corresponding to the private key used to sign the file. It can also be used to verify the digital signature of the signed JAR file using the certificate inside it (in its signature block file).
The Jarsigner command can generate signatures that include a time stamp that lets a system or deployer (including Java Plug-in) to check whether the JAR file was signed while the signing certificate was still valid. In addition, APIs allow applications to obtain the timestamp information.
This integration guide covers all the necessary information to install, configure, and integrate Oracle Jarsigner with Utimaco Hardware Security Modules (HSM).