Signing Code with Jarsigner using Venafi CodeSign Protect

For signing the Code using Code Signing Certificate, we will use Jarsigner as a signing tool.

Before proceeding ahead make sure to install and configure - Venafi Code Signing Client on Linux.

Follow the steps to setup the environment for jarsigner.

Create venafipkcs11.conf file in any directory and add the below entries in the file

›_ pkcs11.cfg

name = VenafiPKCS11 
library ="/opt/venafi/codesign/lib/venafipkcs11.so" 
slot = 0

Edit the java.security file of your installed java application and add the below entries

›_ java.security

#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.rsa.SunRsaSign
security.provider.3=sun.security.ec.SunEC
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
security.provider.10=sun.security.pkcs11.SunPKCS11
/root/venafipkcs11.conf

Now sign the jar file using the below command

›_ Console

# jarsigner \ 
-verbose helloworld.jar Test-uat-certificate \ 
-keystore NONE \ 
-storetype PKCS11 \ 
-certs \ 
-storepass none \ 
-providerclass sun.security.pkcs11.SunPKCS11 \ 
-providerArg /root/venafipkcs11.conf

To verify the signed jar file run the below command

›_ Console

# jarsigner -verify \ 
-keystore NONE \ 
-storetype PKCS11 \
-storepass none \ 
-providerclass sun.security.pkcs11.SunPKCS11 \ 
-providerArg /root/venafipkcs11.conf  helloworld.jar