In order to make your J2ME mobile application trusted, it has to be digitally signed. I have realized that the most of the J2ME developers do not know how to digitally sign a MIDlet suite to add it to the trusted domain. Today I am going to discuss a lengthy article on how to sign jar file.
It is possible to use jarsigner utility for signing the JAR file digitally. Jarsigner is a utility that comes by default with the installation of the JDK (Java Development Kit). First open the command prompt and enter the command called jarsigner to check whether the jarsigner utility is available and ready to be used. Sometimes you will get the following error that says that jarsigner cannot be recognized as a command. If you do not get this error, you will be ended up by showing a list of commands available under the jarsigner utility.
The reason for this error is you have not set the class path for the java in your command prompt (This can be verified by invoking the javac command in the command prompt). Therefore it is required to set the class path for the JDK as follows.
Once the class path is set, the availability of the jarsigner utility should be verified again. Type jarsigner and press enter in the command prompt. You will see a list of commands available under the jar signer utility as follows.
Now it is possible to use the jarsigner utility to digitally sign your selected JAR file. Before signing the digitally signing process you may require to check whether the JAR file has already been signed or not. In oder to do this fist go into the directory where the relevant jar file is stored (In my case it is stored inside E:\J2ME>).then the verification can be done with the following command.
jarsigner -verify YourjarFieName.jar
If the verification is successful and the JAR file is already signed, the following message will be displayed.
Otherwise it will display the following error message to indicate the JAR file verification process is failed and JAR file is unsigned.
If it is unsigned, then you can start the signing process as below.
First it is required to create a set of keys that will be used for both JAR file signing process and the JAR file verification process. The following command can be used to create a keystore with key entries.
keytool -genkey -alias your-alias-name -keystore your-keystore-name
In my case, I used the following command to create a keystore with key entries.
keytool -genkey -alias chathurangaAlias -keystore chathurangaKeyStore
Then it prompted set of questions and those were answered as below.
Note: I have used 123456 as the password for both keystore and alias.
What is your first and last name?
[Unknown]: Chathuranga tennakoon
What is the name of your organizational unit?
[Unknown]: IT Department
What is the name of your organization?
[Unknown]: Chathuranga (pvt) Ltd
What is the name of your City or Locality?
What is the name of your State or Province?
[Unknown]: western province
What is the two-letter country code for this unit?
Is <CN=Chathuranga tennakoon, OU=IT Department, O=Chathuranga (pvt) Ltd,
L=colombo, ST=colombo, C=sl > correct?
If you successfully answer all the questions then it will create the keystore file in your current working directory with the given keystore name. In my case, the keystore file has been created in my current working directory as chathurangaKeyStrore.
After successfully creating the keystore file, it is the time to sign the JAR file using jarsigner utility. It can be done by using the following command.
jarsigner -keystore keystore-name -storepass keystore-password
-keypass key-password jar-file alias-name
Once the jar file is digitally signed, it will display the validity period of the certificate as displayed above. If you need to verify whether the JAR file has been successfully signed, you can use the following command as mentioned at the starting of this article.
jarsigner -verify YourjarFieName.jar
Then you can see that the message that says jar verified. That means the JAR file has been successfully signed.