jarsigner & keytool 이용한 jar 사인 처리

jar 파일을 작성하고 이것을 웹브라우저에서 실행을 할 때 공인된 인증기관에서 인증한 프로그램인 지를 체크하고 있다. 공인된 기관에서 인증된 사인정보가 없을 경우에는 alert 창이 뜬다. 개발단계에서는 공인인증을 받기가 여의치 않으므로 임시방편으로 사인을 해서 프로그램을 돌려야 한다. jar 파일에 대한 사인(sign) 방법에 대하여 정리했다.

<참고글 : http://docs.oracle.com/javase/tutorial/security/toolsign/step3.html >

              http://docs.oracle.com/javase/tutorial/security/toolsign/step4.html >

            <http://docs.oracle.com/javase/tutorial/deployment/jar/signing.html >

Generate Keys

If a code signer does not yet have a suitable private key for signing the code, the key must first be generated, along with a corresponding public key that can be used by the code receiver's runtime system to verify the signature.

Since this lesson assumes that you don't yet have such keys, you are going to create a keystore named examplestore and create an entry with a newly generated public/private key pair (with the public key in a certificate).

JDK에 포함되어 있는 keytool 이란 프로그램을 이용하여 키를 생성할 수 있다. 생성된 키는 keystore에 보관된다. 이 keystore 파일은 로컬하드디스크에 임시로 저장된다. 따라서 개발이 완료되면 공인인증기관을 통한 키를 보관해야 할 것이다. 

 examplestore 라는 이름의 keystore 저장소에 키를 생성하여 보관하려면 다음 명령을 커맨드창에서 친다.   

keytool -genkey -alias signFiles -keystore examplestore

저장소의 비밀번호를 뭘로 할 건지 물으면 입력한다.  나머지 키 생성자의 정보를 묻는데 그냥 엔터를 친다. 마지막으로 key 의 비밀번호를 묻는데 저장소 것과 동일하게 한다면 그냥 엔터만 치면 된다.    

정상적으로 완료되면 현재 디렉토리에 examplestore  라는 keystore 파일이 생성되었고 이 파일 안에 키가 저장되어 있다. 

Subparts of the keytool Command

Let's look at what each of the keytool subparts mean.

• The command for generating keys is -genkey.
• The -alias signFiles subpart indicates the alias to be used in the future to refer to the keystore entry containing the keys that will be generated.
• The -keystore examplestore subpart indicates the name (and optionally path) of the keystore you are creating or already using.
• The storepass value that you are promted for specifies the keystore password.
• The keypass value that you are prompted for specifies a password for the private key about to be generated. You will always need this password in order to access the keystore entry containing that key. The entry doesn't have to have its own password. When you are prompted for the key password, you are given the option of letting it be the same as the keystore password.

Note: For security reasons you should not set your key or keystore passwords on the command line, because they can be intercepted more easily that way.

Now you are ready to sign the JAR file. Type the following in your command window to sign the JAR file Count.jar, using the private key in the keystore entry aliased by signFiles, and to name the resulting signed JAR file sCount.jar:

jarsigner -keystore examplestore -signedjar sCount.jar Count.jar signFiles 

You will be prompted for the store password and the private key password.

---

Note: The jarsigner tool extracts the certificate from the keystore entry whose alias is signFiles and attaches it to the generated signature of the signed JAR file.

---

Time stamping the signature is recommended, and a warning is shown if the signature is not time stamped. The time stamp is used to verify that the certificate used to sign the JAR file was valid at the time of signing. See Signing JAR Files for information on the jarsigner options for including a time stamp with the signature.

Jarsigner Command Options

Option	Description
-keystore url	Specifies a keystore to be used if you don't want to use the .keystore default database.
-storepass password	Allows you to enter the keystore's password on the command line rather than be prompted for it.
-keypass password	Allows you to enter your alias's password on the command line rather than be prompted for it.
-sigfile file	Specifies the base name for the .SF and .DSA files if you don't want the base name to be taken from your alias. file must be composed only of upper case letters (A-Z), numerals (0-9), hyphen (-), and underscore (_).
-signedjar file	Specifies the name of the signed JAR file to be generated if you don't want the original unsigned file to be overwritten with the signed file.
-tsa url	Generates a time stamp for the signature using the Time Stamping Authority (TSA) identified by the URL.
-tsacert alias	Generates a time stamp for the signature using the TSA's public key certificate identified by alias.
-altsigner class	Indicates that an alternative signing mechanism be used to time stamp the signature. The fully-qualified class name identifies the class used.
-altsignerpath classpathlist	Provides the path to the class identified by the altsigner option and any JAR files that the class depends on.

Example

Let's look at a couple of examples of signing a JAR file with the Jarsigner tool. In these examples we will assume:

• your alias is "johndoe".
• the keystore you want to use is in a file named "mykeys" in the current working directory.
• the keystore's password is "abc123".
• the TSA that you want to use to time stamp the signature is located at http://example.tsa.url

Under these assumptions, you could use this command to sign a JAR file named app.jar:

jarsigner -keystore mykeys -storepass abc123 -tsa http://example.tsa.url app.jar johndoe

You will be prompted for the keystore password. Because this command doesn't make use of the -sigfile option, the .SF and .DSA files it creates would be namedJOHNDOE.SF and JOHNDOE.DSA. Because the command doesn't use the -signedjar option, the resulting signed file will overwrite the original version of app.jar.

Let's look at what would happen if you used a different combination of options:

jarsigner -keystore mykeys -sigfile SIG -signedjar SignedApp.jar 
          -tsacert testalias app.jar johndoe

This time, you would be prompted to enter the passwords for both the keystore and your alias because the passwords aren't specified on the command line. The signature and signature block files would be named SIG.SF and SIG.DSA, respectively, and the signed JAR file SignedApp.jar would be placed in the current directory. The original unsigned JAR file would remain unchanged. Also, the signature would be time stamped with the TSA's public key certificate identified as testalias.