File Signing: Installing Java and Signing a File
1. Installing Java. If you do not already have Java 2
installed on your computer you can download it from
here. Follow the
directions for installing.
2. Creating a Class File. The source code for the application
that you will be signing in this tutorial can be downloaded and is
Copy.java. As its name suggests this program will make a copy of itself,
which requires the ability to read and write. After downloading
Copy.java create a folder called java signing where you will keep all
the files required for this tutorial and move Copy.java to it. Open a
command prompt and navigate to your java signing folder and issue the
command javac Copy.java. You can also now test the program if you wish
by issuing the command java Copy.class. You should see the output “file
copied” and file called “output.txt” should have been created in the
java signing folder.
3. Create a JAR. The first step to signing any piece of code is
to create a JAR file, which will contain the code you wish to sign. You
can also sign a text file as long as you created a JAR file containing
the text. Now with the class file created create a JAR containing the
class file by using the jar cvf Copy.jar Copy.class command.
4. Create a Key. To generate a key pair you will use the KeyTool.
This process will also create your keystore, which is the database that
will store keys. The database will be created in the current directory.
To generate the keys use keytool –genkey –alias signFiles –keypass
kps135 –keystore senderstore –storepass ab987c
To fully understand the command t a brief explanation is provided.
- genkey is the command for generating the keys
- alias signFiles indicates the alias to be used in the future
to refer to the keystore entry containing the keys that you are
- keypass kps135 specifies the password that is required to
access the keystore entry containing the keys
- keystore senderstore will be your name or initials followed by
store to indicate the name of the keystore that will hold the keys
- storepass ab987c specifies the keystore password that is
required to access the keystore.
Both the –keypass and –storepass are echoed on screen, which creates
a security threat. For this reason these tags should be left off when
generating keys and only typed when you are prompted for them.
After using the –genkey flag you will be prompted for the information
required to generate the keys. If you do not wish to enter in specific
pieces of information it will be filled in with Unknown. After filling
out the certificate you will be prompted to confirm the information for
your certificate with a y or n.
5. Sign the JAR. After creating your keys you are now ready to
sign the JAR using the private key in the keystore entry aliased by
signFiles. To sign the JAR file use jarsigner –keystore senderstore –signedjar
signedCopy.jar Copy.jar signFiles
You will be prompted for the keystore password ab987c and the private
key password kps135.
6. Export the Public Key Certificate. To create a public key
certificate to send to the recipient use the keytool to export the
private key from the keystore that was used to sign the JAR file. Use
the following command in the to export the certificate: keytool –export
–keystore senderstore –alias signFiles –file sender.cer
You will be prompted for the keystore password which is ab987c.