SignJar

Description

Signing a jar allows users to authenticate the publisher.

Signs JAR files with the jarsigner command line tool. It will take a named file in the jar attribute, and an optional destDir or signedJar attribute. Nested paths are also supported; here only an (optional) destDir is allowed. If a destination directory or explicit JAR file name is not provided, JARs are signed in place.

Dependency rules

Parameters

Attribute Description Required
jar the jar file to sign Yes, unless nested paths have been used
alias the alias to sign under Yes
storepass password for keystore integrity. Ant will not use the -storepass command line argument but send the password to jarsigner when it prompts for it. Yes
keystore keystore location No
storetype keystore type No
keypass password for private key (if different) No
sigfile name of .SF/.DSA file No
signedjar name of signed JAR file. This can only be set when the jar attribute is set. No
verbose (true|false) verbose output when signing No; default false
strict (true|false) strict checking when signing.
since Ant 1.9.1.
No; default false
internalsf (true|false) include the .SF file inside the signature block No; default false
sectionsonly (true|false) don't compute hash of entire manifest No; default false
lazy flag to control whether the presence of a signature file means a JAR is signed. This is only used when the target JAR matches the source JAR No; default false
maxmemory Specifies the maximum memory the jarsigner JVM will use. Specified in the style of standard Java memory specs (e.g. 128m = 128 MBytes) No
preservelastmodified Give the signed files the same last modified time as the original jar files. No; default false.
tsaurl URL for a timestamp authority for timestamped JAR files in Java 5+ No
tsacert alias in the keystore for a timestamp authority for timestamped JAR files in Java 5+ No
tsaproxyhost proxy host to be used when connecting to TSA server No
tsaproxyport proxy port to be used when connecting to TSA server No
executable Specify a particular jarsigner executable to use in place of the default binary (found in the same JDK as Apache Ant is running in).
Must support the same command line options as the Sun JDK jarsigner command. since Ant 1.8.0.
No
force Whether to force signing of the jar file even if it doesn't seem to be out of date or already signed. since Ant 1.8.0. No; default false
sigalg name of signature algorithm No
digestalg name of digest algorithm No
tsadigestalg name of TSA digest algorithm. since Ant 1.10.2 No
providername name of a cryptographic service provider's name when listed in the security properties file. since Ant 1.10.6. No
providerclass name of a cryptographic service provider's master class file when the service provider is not listed in the security properties file. since Ant 1.10.6. No
providerarg Represents an optional string input argument for the constructor of provider_class_name. Ignored if providerclass is not set. since Ant 1.10.6. No

Parameters as nested elements

Attribute Description Required
path path of JAR files to sign. since Ant 1.7 No
fileset fileset of JAR files to sign. No
mapper A mapper to rename jar files during signing No, and only one can be supplied
sysproperty JVM system properties, with the syntax of Ant environment variables No, and only one can be supplied
arg Use this to specify a keytool command line argument not explicitly supported via an attribute. since Ant 1.10.6. No

Examples

For instructions on generating a code signing certificate, see the keytool documentation and/or instructions from your certificate authority.

Sign the ant.jar with alias apache-group accessing the keystore and private key via secret password.

<signjar jar="${dist}/lib/ant.jar"
         alias="apache-group" storepass="secret"/>

Sign all JAR files matching the dist/**/*.jar pattern, copying them to the directory signed afterwards. The flatten mapper means that they will all be copied to this directory, not to subdirectories.

<signjar destDir="signed"
         alias="testonly" keystore="testkeystore"
         storepass="apacheant"
         preservelastmodified="true">
  <path>
    <fileset dir="dist" includes="**/*.jar"/>
  </path>
  <flattenmapper/>
</signjar>

Sign all the JAR files in dist/**/*.jar in-situ. Lazy signing is used, so the files will only be signed if they are not already signed.

<signjar alias="testonly" keystore="testkeystore"
         storepass="apacheant"
         lazy="true">
  <path>
    <fileset dir="dist" includes="**/*.jar"/>
  </path>
</signjar>

Sign all the JAR files in dist/**/*.jar using the digest algorithm SHA1 and the signature algorithm MD5withRSA. This is especially useful when you want to use the JDK 7 jarsigner (which uses SHA256 and SHA256withRSA as default) to create signed jars that will be deployed on platforms not supporting SHA256 and SHA256withRSA.

<signjar alias="testonly" keystore="testkeystore"
         storepass="apacheant"
         sigalg="MD5withRSA"
         digestalg="SHA1">
  <path>
    <fileset dir="dist" includes="**/*.jar"/>
  </path>
</signjar>

About timestamp signing

Timestamps record the date and time that a signature took place, allowing the signature to be verified as of that point in time. With trusted timestamping, users can verify that signing occurred before a certificate's expiration or revocation. Without this timestamp, users can only verify the signature as of their current date.

Timestamped JAR files were introduced in Java 5; they are supported since Ant 1.7. Unauthenticated proxies can be used to access TSAs since Ant 1.9.5.

Common public timestamp authorities include