Blogging this because it took far too long to figure out and because the documentation is spread across too many pages and isn't at all clear.
Generate some signing keys.
Answer some questions. The resulting FILENAME.keystore
file must be kept private. This generates a key that's valid for at least 1000 days. The java docs have more information
Sign the jar
This will sign the jar file with the private key in the FILENAME.keystore file. The signature and some other metadata will be written to the jar's manifest. The java docs have more information
, but not enough to actually be useful.
The -tsa parameter adds timestamping information to the signature so that, even after the private key has expired in 1000 days, java will be able to verify the signature against the timestamp. It's all magic really. Here's an ant task that can sign a jar file.
<target name="sign-plugin" depends="build" description="Sign a loadable plugin JAR file">
<!-- relies on the properties: plugin-jarfile -->
Run it at the command line like this:
$ ant sign-jar
It should ask for a password.
Export the public key certificate from the keystore
Now that the jar is signed and timestamped with the private key it's time to move the corresponding public key into a separate file. First export the public key into a certificate file, then import the certificate into a new keystore.
writes the certificate file USERNAME.cer. You can distribute the .cer file along with the jar file. Java systems can't use the .cer file directly - it must be imported into a new keystore to verify the jar.
Now Import the public key certificate into a new public
This generates a new keystore file which can be used to verify the jar signature and timestamp. The java docs might have more information
. The public keystore file can be shared with anyone, and might be more convenient for people to use.
Use the public key to verify the signed jar.
jarsigner -verify -keystore USERNAME-public.keystore JAR-signed.jar
This should give a success message
. Woo. Finally. Distribute the JAR-signed.jar and USERNAME-public.keystore files as necessary.
The comodo timetsamping
server seems likea good, reliable, free option. Your mileage may vary or something.