Signing Java code using JDK 1.1.8
To digitally sign Java code for Macintosh OS 9 one needs to use
self-signed certificates and the JDK 1.1 signing system. This page
describes how to do this signing on Windows.
It is possible to do the signing on a Macintosh, though some have
difficulty getting
the procedure
to work. This page focuses on Windows since many Java developers use
Windows as their development environment.
To follow this procedure you need Sun's JDK 1.1.8 or IBM's JDK 1.1.8.
Sun's version is more easily available, but it crashes on Windows XP.
Here are cookbook instructions for creating certificates and signing
using generic names and choices:
-
Create new signer MySignerName using javakey.exe from JDK 1.1.8 and
declare the signer to be trusted:
javakey -cs MySignerName true
-
Create public key mypub.pub and private key mypvt.pvt using MySignerName
signer (this takes about 30 seconds):
javakey -gk MySignerName DSA 512 mypub.pub mypvt.pvt
-
Check what numbers javakey assigns to certificates (for first
certificate none will be there, meaning you will start issuer.cert below
with the number 1). Test this using:
javakey -ld
-
Create certificate directive file certdirective.txt with the following
content (issuer.name and subject.name need to be the same for a
self-signed certificate, issuer.cert needs to count from previous
certificates, starting from 1):
issuer.name=MySignerName
issuer.cert=1
subject.name=MySignerName
subject.real.name=MySignerName, Inc.
subject.org=MySignerName
subject.org.unit=Secure Web Development
subject.country=USA
start.date=20 Nov 2003
end.date=20 Nov 2009
serial.number=1001
out.file=mycert.cer
-
Use certdirective.txt to create a certificate (this takes a few
seconds):
javakey -gc certdirective.txt
-
Display the certificate using:
javakey -dc mycert.cer
-
Verify that there is now a certificate using:
javakey -ld
-
Create JAR directive file MyJarDirective.txt with the following contents
(where cert is the number previously assigned, starting with 1 for the
first certificate):
signer=MySignerName
cert=1
chain=0
out.file=OutputFileName.jar
signature.file=MYSUNJAR
-
A file named identitydb.obj is created (the location is different using
JDKs from different companies).
-
Create the JAR file as follows:
"c:\Program Files\jdk118\bin\jar.exe" -cf Unsigned.jar H netscape\security\*.class
*.stf
where notation for various files to be encoded is included, including
files in package H, stubs for Netscape security classes called by the
code, and data files with extension *.stf
- Sign the JAR files as follows:
"c:\Program Files\jdk118\bin\javakey.exe" -gs MyJarDirective.txt
Unsigned.jar
This is very cookbook but it should work and allow you to get started.
For those interested platforms where real certificates can be used,
Thawte has some step-by-step
instructions
that are helpful but not always complete. For OS X one can use Java 2
signing; one can also use Netscape signing for Java 1 code running on OS X.
If you comments or suggestions please contact Mickey
Segal. A listing of many Java resources is at this link.