Category Archives: Uncategorized

How to sign a jar

Create a keystore, I started with a p12.

Find the alias for the imported p12, if needed.

Sign the jar with jarsigner:

> jarsigner -keystore keystore.jks myjartosign.jar “my alias in the keystore” -tsa “www.example-tsa.com”

You will get an warning if you don’t use a url to a tsa. I googled my certificate authority and looked up their tsa on their knowledge base.

In my case I used Comodo, and their tsa is “http://timestamp.comodoca.com/rfc3161“.

Finding an imported certificate’s alias in a java keystore

Click here if you need to create a keystore. I started with a p12.

When you need your certificate out of a keystore you will need to know the alias of the certificate.
First list the keystore’s contents:
> keytool -list -keystore keystore.jks

You should expect output like this:
My websites’s comodo ca limited id, Jan 1, 2014, PrivateKeyEntry,
Certificate fingerprint (SHA1): 45:32:13:3D:F2:1D:F7:DA:84:6A:43:DF:1E:86:B3:64CB:4B:3D

The alias is everything before the first comma:
My websites’s comodo ca limited id

Verify the alias:
> keytool -list -keystore keystore.jks -alias “My websites’s comodo ca limited id

If it worked it should list the above certificate info, and now you have the alias.

Create a Java keystore from a p12 file

You will need a keystore to sign jars. In my case I was given a p12 file from my Certificate Authority. It took a while but I finally found how to make a keystore from my p12.

You don’t need a keystore to exist to import a p12:

> keytool -v -importkeystore -srckeystore certificate.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS

Now the keystore will have the contents of the p12, which is the certificate and the key.

Sources:
http://www.webfarmr.eu/2010/04/import-pkcs12-private-keys-into-jks-keystores-using-java-keytool/
http://blog.jgc.org/2011/06/importing-existing-ssl-keycertificate.html

Java 7.51 – Applets must be signed

With the new Java update 7.51 all applets must follow new guidelines:

  1. All code for Applets and Web Start applications must be signed
  2. Permissions attribute in the manifest must be set, no default

Read more here

What this means is any applet that currently exists that is not signed, has an expired certificate, or doesn’t have the permissions attribute will no longer work. As a side job I make sure photodepository.com works, and it was affected by this so here’s how to fix it.

Quick Answer:

  1. Buy a code signing certificate
  2. Resign your applet
  3. Done

Here’s how:

  1. Create a txt file for the manifest additions. Here are the contents:
    Permissions: all-permissions
    Application-Name: MyAppletName
  2. Extract you jar:
    > mkdir jarname
    > mv jarname.jar jarname
    > cd jarname
    > jar xf jarname.jar
  3. Remove the META from the extract
    > rm -r META-INF/
  4. Rejar the applet and include the required manifest additions
    > jar cfm jarname.jar ../manifestAdditions *
  5. Sign the jar. Here’s my posts to do the signing:
    > Create a Java keystore from a p12 file
    > Finding an imported certificate’s alias in a java keystore
    > How to sign a jar