11 Jun 2020

Signing .jar files with an existing certificate on Windows

  1. Install JDK

  2. Jump into the JDK binary folder cd C:\Program Files\Java\jdk-14.0.1\bin

  3. Create a Java Signing Keystore with your existing .p12: keytool -importkeystore -srckeystore c:\jarfiles\duff.p12 -srcstoretype pkcs12 -destkeystore c:\jarfiles\duff.jks -deststoretype JKS

  4. Update the keystore if the previous command tells you to. It’ll say “The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using “keytool -importkeystore -srckeystore c:\jarfiles\duff.jks -destkeystore c:\jarfiles\duff.jks -deststoretype pkcs12”. Do that keytool -importkeystore -srckeystore c:\jarfiles\duff.jks -destkeystore c:\jarfiles\duff.jks -deststoretype pkcs12

  5. Confirm the Keystore alias because you’ll need it in the next command: keytool -list -keystore c:\jarfiles\duff.jks -v it’s right near the top of this output. Mine was “codesigningcert” as an example.

  6. Sign something to test: jarsigner -tsa http://timestamp.digicert.com -keystore c:\jarfiles\duff.jks -storepass {PASSWORD} c:\jarfiles\myjar.jar codesigncert

  7. Confirm it’s signed: Verify: jarsigner -verify c:\jarfiles\myjar.jar -verbose -certs -strict

Chad Duffey

Security Engineer