When JAR files are published, it has by default no signature included so nobody would likely trust this source, it is best to digitally sign the JAR files, this like you might sign a paper document with pen and ink – to let readers know who wrote or approved. The typical use of signed jars is in Java applet or Webstart deployment, you must sign all jars with same signature to avoid security issue.

To sign a JAR file, you must have a private key, Java is able to create self-signed certificate, in previous tutorial, we guide How Do I Create Keystore with Ant, you may take a reading if you don’t understand where we get the keystore that we use to sign Jar files. we are now not going to use Java JAR Signing and Verification Tool to sign JAR files, instead, Ant provides task SignJar do same thing, It will take a named file in the jar attribute, and an optional destDir or signedJar attribute.

Example to sign Jar file with keystore in Ant

<signjar jar="${build.classes.dir}/japplet.jar"
  signedjar="${build.output.dir}/japplet.jar"
  alias="${verisign.key.alias}"
  storepass="${verisign.key.storepass}"
  keystore="${verisign.key.store}"
  keypass="${verisign.key.pass}"/>

It signs the japplet.jar in folder ${build.classes.dir} with alias "{verisign.key.alias}" accessing the {verisign.key.store}, it uses user pre-defined ant properties for the output folder, keystore path, keystore password and store password.

<signjar
    alias="asjava" keystore="testkeystore"
    storepass="asjava"
    sigalg="MD5withRSA"
    digestalg="SHA1">
  <path>
    <fileset dir="out" includes="**/*.jar" />
  </path>
</signjar>

In this ant example, we used plain value rather than ant property, it sign all the JAR files in out/**/*.jar using the digest algorithm SHA1 and the signature algorithm MD5withRSA as we specified. The parameter sigalg specifics name of signature algorithm, parameter digestalg specifics name of digest algorithm, so we used different signature and digest algorithm to sign jars.

The whole example that ant create keystore and sign Jar files

<?xml version="1.0"?>
<project name="asjava.com ant to create keystore and sign jars" default="signjars" basedir=".">
    <tstamp/>

    <property name="build.output.dir"                  value="c:/asjava"/>
    <property name="build.classes.dir"                  value="c:/oldasjava"/>
    <property name="verisign.key.store"               value="${build.output.dir}/.keystore"/>
    <property name="verisign.key.storepass"         value="asjava.com"/>
    <property name="verisign.key.alias"                value="asjava"/>
    <property name="verisign.key.pass"                value="asjava.com"/>

     <target name="signjars">
        <mkdir dir="${build.output.dir}"/>
        <genkey alias="${verisign.key.alias}" verbose="true" storepass="${verisign.key.storepass}" 
keypass="${verisign.key.pass}" validity="365" keystore="${verisign.key.store}">
               <dname>
                 <param name="CN" value="AsJava.com Group"/>
                <param name="OU" value="Jim"/>
          <param name="O"  value="AsJava.com"/>
                <param name="C"  value="US"/>
               </dname>
        </genkey>
        <signjar jar="${build.classes.dir}/japplet.jar"
               signedjar="${build.output.dir}/japplet.jar"
               alias="${verisign.key.alias}"
               storepass="${verisign.key.storepass}"
               keystore="${verisign.key.store}"
               keypass="${verisign.key.pass}"/>
     </target>

</project>

To run above ant script, use command ant or ant signjars. the output looks like:

C:\temp>ant
Buildfile: build.xmlsignjars:
[genkey] Generating Key for asjava
[genkey] Generating 1,024 bit DSA key pair and self-signed certificate (SHA1WithDSA)
[genkey]     for: CN=AsJava.com Group, OU=Jim, O=AsJava.com, C=US
[genkey] [Storing c:/asjava/.keystore]
[signjar] Signing JAR: c:\oldasjava\japplet.jar to c:\asjava\japplet.jar as asjava
[signjar] Enter Passphrase for keystore:

BUILD SUCCESSFUL
Total time: 1 second

How Do I check it has been signed in Ant?

Unpack the signed jar, you can find some additional files(e.g. ASJAVA.DSA, ASJAVA.SF) newly added to this jar, so this jar has been signed successfully.