2

I want to sign a JAR with my code and without keystores - using only private user's key (because I have a lot of users and keys).

I've found the same question, but it uses keystores, and I want to do it using only PrivateKey or String. Is it possible and are there any libraries?

I'll try to clarify the task. For example, we have some user and some service. User creates some module, packs it as the JAR and signs it using it's own private key which stored locally in some DB as the String.

Then they send it to the service, and this service knows this user's public key (it is stored in the database too). And service verifies this JAR.

I don't want to use keystores and aliases because I'll have to instantiate files on every JAR uploading.

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
skayred
  • 10,603
  • 10
  • 52
  • 94
  • Currently I'm trying to use `JarSigner` sources, but without luck. I want to use Java solution, because my system must be portable. But GPG may be suitable too – skayred Jun 15 '13 at 15:12
  • I was asking about what your "lot of users and keys" were already using, actually. You can have a peek at the source of the Maven GPG plugin if you want to use GPG. – fge Jun 15 '13 at 15:17
  • Okay' I'll try to use it. Currently I'm just creating an architecture and discrovering the technologies – skayred Jun 15 '13 at 15:30
  • 1
    Does this answer your question? [How do you programmatically sign jar files in Java?](https://stackoverflow.com/questions/7688676/how-do-you-programmatically-sign-jar-files-in-java) – Emmanuel Bourg Apr 27 '23 at 08:17

1 Answers1

-1

I Signed jar using pom.xml I happy if it help you:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>ABC</groupId>
    <artifactId>applet</artifactId>
    <version>ABC</version>
    <packaging>jar</packaging>

    <name>applet</name>
    <url>http://maven.apache.org</url>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>

    <build>
        <plugins>

            <plugin>
                <groupId>org.aaa.bbb</groupId>
                <artifactId>keytool-maven-plugin</artifactId>
                <executions>
                    <execution>
                        <goals>
                            <goal>genkey</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <keystore>./target/chkey</keystore>
                    <alias>ch</alias>
                    <dname>cn=Organization Name, o=Org, l=xyz, st=mm, c=US</dname>
                    <keypass>pass</keypass>
                    <storepass>pass</storepass>
                </configuration>
            </plugin>

            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-jarsigner-plugin</artifactId>
                <version>1.2</version>
                <executions>
                    <execution>
                        <id>sign</id>
                        <goals>
                            <goal>sign</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <keystore>./target/chkey</keystore>
                    <alias>ch</alias>
                    <storepass>pass</storepass>
                    <keypass>pass</keypass>
                </configuration>
            </plugin>

        </plugins>
    </build>

    <dependencies>

        <dependency>
            <groupId>java</groupId>
            <artifactId>java-plugin</artifactId>
            <version>jre-1.8</version>
            <scope>provided</scope>
        </dependency>


    </dependencies>
</project>
Aniket
  • 173
  • 12