====== Java code signing ======

In the JDK two tools are included to do code signing, ''Keytool'' and ''Jarsigner''. First tool is to generate and administrate your keys and certificates that are saved in a "keystore". The ''Jarsigner'' is the application used to sign jar files with an alias of your keystore. On this page I show you how to generate a keystore and how to sign your jar's with a self generated certificate. In a second section I will show how to get your keys signed by a CA, in this case I use CAcert.org to get a certificate for my keys. And how to import them to the keystore. 

===== How to generate the minimum things needed for code signing =====
  - Generate a keystore and a pair of public and private keys.<code>keytool -genkey -alias <alias></code>This generates a new keystore, by default the keystore is saved in ''.keystore'' in your home folder.\\ You can add ''-keystore <file name>'' to save it in an other file.\\ ''genkey'' triggers to generate a new pair key pair. You will be asked several questions to identify your self.\\ ''-alias'' is used to identify a keyset, so that you can administer several keys and certificates in one keystore.
  - Now you can sign your jar files with your new keys.<code>jarsigner <jar file> <alias></code>If you have generated the keystore in a different file than the default ''.keystore'' then you have to add the ''-keystore <keystore file>'' option to the command right in front of the jar file.\\ You can add the ''-verbose'' option to see what is going on.
  - To see if everything went well, you can verify your signed jars.<code>jarsigner -verify -certs -verbose <jar file></code>''-verify'' to verify the jar is signed.\\ ''-certs'' to list the also how the containing class files are signed. You need set ''-verbose'' option to see this.

===== What to do to extend your keystore with a certificate from cacert.org =====
To request a certificate with code signing capability, you have to be an [[http://www.cacert.org/policy/CertificationPracticeStatement.php#p1.6|assurer]] that passed the [[http://wiki.cacert.org/AssurerChallenge|assurer challenge]]. 
  - Generate a keystore and a pair of public and private keys.<code>keytool -genkey -alias <alias></code>This generates a new keystore, by default the keystore is saved in ''.keystore'' in your home folder.\\ You can add ''-keystore <file name>'' to save it in an other file.\\ ''genkey'' triggers to generate a new pair key pair. You will be asked several questions to identify your self, there I only entered my email address as name the other questions I didn't answer.\\ ''-alias'' is used to identify a keyset, so that you can administer several keys and certificates in one keystore.
  - Generate a CSR ([[wikipedia>Certificate_signing_request|Certificate signing request]])<code>keytool -certreq -file <csr file> <alias></code>
  - Now you have to login on the cacert.org homepage.
  - Generate a new ''client certificate'' for the email address associated in your keys. Check the code signing checkbox to generate a certificate that allows code signing. You also have to enable advanced options and paste there the content of your generated csr (''less <csr file>''). You can include your name as well by checking the name option.
  - Download the created certificate (<crt file>).
  - keytool -importcert -trustcacerts  -file <cert file> -alias <alias>
  - Download [[http://wiki.cacert.org/CodesigningCert?action=AttachFile&do=view&target=cacerts|cacerts file]] with root certificate of cacert.org 
  - cd /Library/Java/Home/lib/security/
  - mv cacerts cacerts.orig
  - sudo mv cacerts cacerts.orig
  - sudo cp ~/cacerts .
  - keytool -importcert -trustcacerts -v -file <crt file> -alias <alias>

==== Weblinks ====
  * [[http://www.ewert-technologies.ca/blog/articles/cross-platform-code-signing|Excelent article about cross-platform code signing]]
  * [[http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/packagingAppsForMac.html]]