Wednesday, July 20, 2011

JAR Signing and Verification

In order to make your J2ME mobile application trusted, it has to be digitally signed. I have realized that the most of the J2ME developers do not know how to digitally sign a MIDlet suite to add it to the trusted domain. Today I am going to discuss a lengthy article on how to sign jar file. 

It is possible to use jarsigner utility for signing the JAR file digitally. Jarsigner is a utility that comes by default with the installation of the JDK (Java Development Kit). First open the command prompt and enter the command called jarsigner to check whether the jarsigner utility is available and ready to be used. Sometimes you will get the following error that says that jarsigner cannot be recognized as a command. If you do not get this error, you will be ended up by showing a list of commands available under the jarsigner utility.

The reason for this error is you have not set the class path for the java in your command prompt (This can be verified by invoking the javac command in the command prompt). Therefore it is required to set the class path for the JDK as follows.

 Once the class path is set, the availability of the jarsigner utility should be verified again. Type jarsigner and press enter in the command prompt. You will see a list of commands available under the jar signer utility as follows.

Now it is possible to use the jarsigner utility to digitally sign your selected JAR file. Before signing the digitally signing process you may require to check whether the JAR file has already been signed or not. In oder to do this fist go into the directory where the relevant jar file is stored (In my case it is stored inside E:\J2ME>).then the verification can be done with the following command.
jarsigner -verify YourjarFieName.jar

 If the verification is successful and the JAR file is already signed, the following message will be displayed.
jar verified.
Otherwise it will display the following error message to indicate the JAR file verification process is failed and JAR  file is unsigned.

If it is unsigned, then you can start the signing process as below.

First it is required to create a set of keys that will be used for both JAR file signing process and the JAR file verification process.  The following command can be used to create a keystore with key entries.

keytool -genkey -alias your-alias-name -keystore your-keystore-name

In my case, I used the following command to create a keystore with key entries.

keytool -genkey -alias chathurangaAlias -keystore chathurangaKeyStore

Then it prompted set of questions and those were answered as below.

Note: I have used 123456 as the password for both keystore and alias. 

    What is your first and last name?
      [Unknown]:  Chathuranga tennakoon
    What is the name of your organizational unit?
      [Unknown]:  IT Department 
    What is the name of your organization?
      [Unknown]:  Chathuranga (pvt) Ltd 
    What is the name of your City or Locality?
      [Unknown]:  colombo
    What is the name of your State or Province?
      [Unknown]:  western province
    What is the two-letter country code for this unit?
      [Unknown]:  sl 
    Is <CN=Chathuranga tennakoon, OU=IT Department, O=Chathuranga (pvt) Ltd,
        L=colombo, ST=colombo, C=sl > correct?
      [no]:  yes

If you successfully answer all the questions then it will create the keystore file in your current working directory with the given keystore name. In my case, the keystore file has been created in my current working directory as chathurangaKeyStrore.

After successfully creating the keystore file, it is the time to sign the JAR file using jarsigner utility. It can be done by using the following command.

jarsigner -keystore keystore-name -storepass keystore-password 
-keypass key-password jar-file alias-name

Once the jar file is digitally signed, it will display the validity period of the certificate as displayed above. If you need to verify whether the JAR file has been successfully signed, you can use the following command as mentioned at the starting of this article.

    jarsigner -verify YourjarFieName.jar 

Then you can see that the message that says jar verified. That means the JAR file has been successfully signed.

No comments:

Post a Comment