jdk/src/linux/doc/man/jarsigner.1
author valeriep
Mon, 31 Mar 2008 16:12:37 -0700
changeset 296 a26e4ea2ca63
parent 2 90ce3da70b43
child 2692 345bc8d65b19
permissions -rw-r--r--
6682411: JCK test failed w/ ArrayIndexOutOfBoundException (-1) when decrypting with no data Summary: Fixed PKCS5Padding class with additional check and throw BadPaddingException if the check failed Reviewed-by: wetmore
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2
90ce3da70b43 Initial load
duke
parents:
diff changeset
     1
.'" t
90ce3da70b43 Initial load
duke
parents:
diff changeset
     2
."
90ce3da70b43 Initial load
duke
parents:
diff changeset
     3
." Copyright 2000-2006 Sun Microsystems, Inc.  All Rights Reserved.
90ce3da70b43 Initial load
duke
parents:
diff changeset
     4
." DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
90ce3da70b43 Initial load
duke
parents:
diff changeset
     5
."
90ce3da70b43 Initial load
duke
parents:
diff changeset
     6
." This code is free software; you can redistribute it and/or modify it
90ce3da70b43 Initial load
duke
parents:
diff changeset
     7
." under the terms of the GNU General Public License version 2 only, as
90ce3da70b43 Initial load
duke
parents:
diff changeset
     8
." published by the Free Software Foundation.
90ce3da70b43 Initial load
duke
parents:
diff changeset
     9
."
90ce3da70b43 Initial load
duke
parents:
diff changeset
    10
." This code is distributed in the hope that it will be useful, but WITHOUT
90ce3da70b43 Initial load
duke
parents:
diff changeset
    11
." ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
90ce3da70b43 Initial load
duke
parents:
diff changeset
    12
." FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
90ce3da70b43 Initial load
duke
parents:
diff changeset
    13
." version 2 for more details (a copy is included in the LICENSE file that
90ce3da70b43 Initial load
duke
parents:
diff changeset
    14
." accompanied this code).
90ce3da70b43 Initial load
duke
parents:
diff changeset
    15
."
90ce3da70b43 Initial load
duke
parents:
diff changeset
    16
." You should have received a copy of the GNU General Public License version
90ce3da70b43 Initial load
duke
parents:
diff changeset
    17
." 2 along with this work; if not, write to the Free Software Foundation,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    18
." Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    19
."
90ce3da70b43 Initial load
duke
parents:
diff changeset
    20
." Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
90ce3da70b43 Initial load
duke
parents:
diff changeset
    21
." CA 95054 USA or visit www.sun.com if you need additional information or
90ce3da70b43 Initial load
duke
parents:
diff changeset
    22
." have any questions.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    23
."
90ce3da70b43 Initial load
duke
parents:
diff changeset
    24
." `
90ce3da70b43 Initial load
duke
parents:
diff changeset
    25
.TH jarsigner 1 "07 Aug 2006"
90ce3da70b43 Initial load
duke
parents:
diff changeset
    26
." Generated by html2man
90ce3da70b43 Initial load
duke
parents:
diff changeset
    27
90ce3da70b43 Initial load
duke
parents:
diff changeset
    28
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    29
.SH NAME
90ce3da70b43 Initial load
duke
parents:
diff changeset
    30
jarsigner \- JAR Signing and Verification Tool
90ce3da70b43 Initial load
duke
parents:
diff changeset
    31
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    32
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
    33
90ce3da70b43 Initial load
duke
parents:
diff changeset
    34
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    35
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    36
Generates signatures for Java ARchive (JAR) files, and verifies the signatures of signed JAR files.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    37
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    38
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
    39
.SH "SYNOPSIS"
90ce3da70b43 Initial load
duke
parents:
diff changeset
    40
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    41
90ce3da70b43 Initial load
duke
parents:
diff changeset
    42
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    43
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
    44
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
    45
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
    46
\fP\f3jarsigner\fP [ options ] jar\-file alias
90ce3da70b43 Initial load
duke
parents:
diff changeset
    47
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
    48
\f3jarsigner\fP \-verify [ options ] jar\-file 
90ce3da70b43 Initial load
duke
parents:
diff changeset
    49
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
    50
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
    51
90ce3da70b43 Initial load
duke
parents:
diff changeset
    52
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    53
.SH "DESCRIPTION"
90ce3da70b43 Initial load
duke
parents:
diff changeset
    54
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    55
90ce3da70b43 Initial load
duke
parents:
diff changeset
    56
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    57
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    58
The \f3jarsigner\fP tool is used for two purposes:
90ce3da70b43 Initial load
duke
parents:
diff changeset
    59
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    60
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
    61
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
    62
1.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    63
to sign Java ARchive (JAR) files, and 
90ce3da70b43 Initial load
duke
parents:
diff changeset
    64
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
    65
2.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    66
to verify the signatures and integrity of signed JAR files. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
    67
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
    68
90ce3da70b43 Initial load
duke
parents:
diff changeset
    69
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    70
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    71
The JAR feature enables the packaging of class files, images, sounds, and other digital data in a single file for faster and easier distribution. A tool named \f3jar\fP enables developers to produce JAR files. (Technically, any zip file can also be considered a JAR file, although when created by \f3jar\fP or processed by \f3jarsigner\fP, JAR files also contain a META\-INF/MANIFEST.MF file.)
90ce3da70b43 Initial load
duke
parents:
diff changeset
    72
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    73
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    74
A \f2digital signature\fP is a string of bits that is computed from some data (the data being "signed") and the private key of an entity (a person, company, etc.). Like a handwritten signature, a digital signature has many useful characteristics:
90ce3da70b43 Initial load
duke
parents:
diff changeset
    75
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    76
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
    77
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    78
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
    79
Its authenticity can be verified, via a computation that uses the public key corresponding to the private key used to generate the signature. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
    80
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    81
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
    82
It cannot be forged, assuming the private key is kept secret. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
    83
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    84
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
    85
It is a function of the data signed and thus can't be claimed to be the signature for other data as well. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
    86
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
    87
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
    88
The signed data cannot be changed; if it is, the signature will no longer verify as being authentic. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
    89
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
    90
90ce3da70b43 Initial load
duke
parents:
diff changeset
    91
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    92
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    93
In order for an entity's signature to be generated for a file, the entity must first have a public/private key pair associated with it, and also one or more certificates authenticating its public key. A \f2certificate\fP is a digitally signed statement from one entity, saying that the public key of some other entity has a particular value.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    94
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    95
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    96
\f3jarsigner\fP uses key and certificate information from a \f2keystore\fP to generate digital signatures for JAR files. A keystore is a database of private keys and their associated X.509 certificate chains authenticating the corresponding public keys. The \f3keytool\fP utility is used to create and administer keystores.
90ce3da70b43 Initial load
duke
parents:
diff changeset
    97
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    98
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
    99
\f3jarsigner\fP uses an entity's private key to generate a signature. The signed JAR file contains, among other things, a copy of the certificate from the keystore for the public key corresponding to the private key used to sign the file. \f3jarsigner\fP can verify the digital signature of the signed JAR file using the certificate inside it (in its signature block file).
90ce3da70b43 Initial load
duke
parents:
diff changeset
   100
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   101
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   102
Starting in J2SE 5.0, \f3jarsigner\fP can generate signatures that include a timestamp, thus enabling systems/deployer (including Java Plug\-in) to check whether the JAR file was signed while the signing certificate was still valid. In addition, APIs were added in J2SE 5.0 to allow applications to obtain the timestamp information.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   103
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   104
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   105
At this time, \f3jarsigner\fP can only sign JAR files created by the SDK \f3jar\fP tool or zip files. (JAR files are the same as zip files, except they also have a META\-INF/MANIFEST.MF file. Such a file will automatically be created when \f3jarsigner\fP signs a zip file.)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   106
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   107
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   108
The default \f3jarsigner\fP behavior is to \f2sign\fP a JAR (or zip) file. Use the \f2\-verify\fP option to instead have it \f2verify\fP a signed JAR file.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   109
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   110
.SS 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   111
Compatibility with JDK 1.1
90ce3da70b43 Initial load
duke
parents:
diff changeset
   112
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   113
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   114
90ce3da70b43 Initial load
duke
parents:
diff changeset
   115
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   116
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   117
The \f3keytool\fP and \f3jarsigner\fP tools completely replace the \f3javakey\fP tool provided in JDK 1.1. These new tools provide more features than \f3javakey\fP, including the ability to protect the keystore and private keys with passwords, and the ability to verify signatures in addition to generating them.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   118
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   119
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   120
The new keystore architecture replaces the identity database that \f3javakey\fP created and managed. There is no backwards compatibility between the keystore format and the database format used by \f3javakey\fP in 1.1. However,
90ce3da70b43 Initial load
duke
parents:
diff changeset
   121
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   122
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   123
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   124
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   125
It is possible to import the information from an identity database into a keystore, via the \f3keytool\fP \f2\-identitydb\fP command. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   126
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   127
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   128
\f3jarsigner\fP can sign JAR files also previously signed using \f3javakey\fP. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   129
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   130
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   131
\f3jarsigner\fP can verify JAR files signed using \f3javakey\fP. Thus, it recognizes and can work with signer aliases that are from a JDK 1.1 identity database rather than a Java 2 SDK keystore. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   132
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   133
90ce3da70b43 Initial load
duke
parents:
diff changeset
   134
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   135
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   136
The following table explains how JAR files that were signed in JDK 1.1.x are treated in the Java 2 platform.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   137
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   138
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   139
.TS
90ce3da70b43 Initial load
duke
parents:
diff changeset
   140
.if \n+(b.=1 .nr d. \n(.c-\n(c.-1
90ce3da70b43 Initial load
duke
parents:
diff changeset
   141
.de 35
90ce3da70b43 Initial load
duke
parents:
diff changeset
   142
.ps \n(.s
90ce3da70b43 Initial load
duke
parents:
diff changeset
   143
.vs \n(.vu
90ce3da70b43 Initial load
duke
parents:
diff changeset
   144
.in \n(.iu
90ce3da70b43 Initial load
duke
parents:
diff changeset
   145
.if \n(.u .fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
   146
.if \n(.j .ad
90ce3da70b43 Initial load
duke
parents:
diff changeset
   147
.if \n(.j=0 .na
90ce3da70b43 Initial load
duke
parents:
diff changeset
   148
..
90ce3da70b43 Initial load
duke
parents:
diff changeset
   149
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
   150
.nr #~ 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   151
.if n .nr #~ 0.6n
90ce3da70b43 Initial load
duke
parents:
diff changeset
   152
.ds #d .d
90ce3da70b43 Initial load
duke
parents:
diff changeset
   153
.if \(ts\n(.z\(ts\(ts .ds #d nl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   154
.fc
90ce3da70b43 Initial load
duke
parents:
diff changeset
   155
.nr 33 \n(.s
90ce3da70b43 Initial load
duke
parents:
diff changeset
   156
.rm 80 81 82 83 84
90ce3da70b43 Initial load
duke
parents:
diff changeset
   157
.nr 34 \n(.lu
90ce3da70b43 Initial load
duke
parents:
diff changeset
   158
.eo
90ce3da70b43 Initial load
duke
parents:
diff changeset
   159
.am 82
90ce3da70b43 Initial load
duke
parents:
diff changeset
   160
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   161
.di a+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   162
.35
90ce3da70b43 Initial load
duke
parents:
diff changeset
   163
.ft \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   164
.ll \n(34u*1u/6u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   165
.if \n(.l<\n(82 .ll \n(82u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   166
.in 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   167
\f3Trusted Identity imported into Java 2 Platform keystore from 1.1 database (4)\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   168
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   169
.di
90ce3da70b43 Initial load
duke
parents:
diff changeset
   170
.nr a| \n(dn
90ce3da70b43 Initial load
duke
parents:
diff changeset
   171
.nr a- \n(dl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   172
..
90ce3da70b43 Initial load
duke
parents:
diff changeset
   173
.ec \
90ce3da70b43 Initial load
duke
parents:
diff changeset
   174
.eo
90ce3da70b43 Initial load
duke
parents:
diff changeset
   175
.am 83
90ce3da70b43 Initial load
duke
parents:
diff changeset
   176
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   177
.di b+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   178
.35
90ce3da70b43 Initial load
duke
parents:
diff changeset
   179
.ft \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   180
.ll \n(34u*1u/6u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   181
.if \n(.l<\n(83 .ll \n(83u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   182
.in 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   183
\f3Policy File grants privileges to Identity/Alias\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   184
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   185
.di
90ce3da70b43 Initial load
duke
parents:
diff changeset
   186
.nr b| \n(dn
90ce3da70b43 Initial load
duke
parents:
diff changeset
   187
.nr b- \n(dl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   188
..
90ce3da70b43 Initial load
duke
parents:
diff changeset
   189
.ec \
90ce3da70b43 Initial load
duke
parents:
diff changeset
   190
.eo
90ce3da70b43 Initial load
duke
parents:
diff changeset
   191
.am 84
90ce3da70b43 Initial load
duke
parents:
diff changeset
   192
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   193
.di c+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   194
.35
90ce3da70b43 Initial load
duke
parents:
diff changeset
   195
.ft \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   196
.ll \n(34u*1u/6u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   197
.if \n(.l<\n(84 .ll \n(84u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   198
.in 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   199
Default privileges granted to all code.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   200
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   201
.di
90ce3da70b43 Initial load
duke
parents:
diff changeset
   202
.nr c| \n(dn
90ce3da70b43 Initial load
duke
parents:
diff changeset
   203
.nr c- \n(dl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   204
..
90ce3da70b43 Initial load
duke
parents:
diff changeset
   205
.ec \
90ce3da70b43 Initial load
duke
parents:
diff changeset
   206
.eo
90ce3da70b43 Initial load
duke
parents:
diff changeset
   207
.am 84
90ce3da70b43 Initial load
duke
parents:
diff changeset
   208
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   209
.di d+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   210
.35
90ce3da70b43 Initial load
duke
parents:
diff changeset
   211
.ft \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   212
.ll \n(34u*1u/6u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   213
.if \n(.l<\n(84 .ll \n(84u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   214
.in 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   215
Default privileges granted to all code.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   216
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   217
.di
90ce3da70b43 Initial load
duke
parents:
diff changeset
   218
.nr d| \n(dn
90ce3da70b43 Initial load
duke
parents:
diff changeset
   219
.nr d- \n(dl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   220
..
90ce3da70b43 Initial load
duke
parents:
diff changeset
   221
.ec \
90ce3da70b43 Initial load
duke
parents:
diff changeset
   222
.eo
90ce3da70b43 Initial load
duke
parents:
diff changeset
   223
.am 84
90ce3da70b43 Initial load
duke
parents:
diff changeset
   224
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   225
.di e+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   226
.35
90ce3da70b43 Initial load
duke
parents:
diff changeset
   227
.ft \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   228
.ll \n(34u*1u/6u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   229
.if \n(.l<\n(84 .ll \n(84u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   230
.in 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   231
Default privileges granted to all code.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   232
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   233
.di
90ce3da70b43 Initial load
duke
parents:
diff changeset
   234
.nr e| \n(dn
90ce3da70b43 Initial load
duke
parents:
diff changeset
   235
.nr e- \n(dl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   236
..
90ce3da70b43 Initial load
duke
parents:
diff changeset
   237
.ec \
90ce3da70b43 Initial load
duke
parents:
diff changeset
   238
.eo
90ce3da70b43 Initial load
duke
parents:
diff changeset
   239
.am 84
90ce3da70b43 Initial load
duke
parents:
diff changeset
   240
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   241
.di f+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   242
.35
90ce3da70b43 Initial load
duke
parents:
diff changeset
   243
.ft \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   244
.ll \n(34u*1u/6u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   245
.if \n(.l<\n(84 .ll \n(84u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   246
.in 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   247
Default privileges granted to all code. (3)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   248
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   249
.di
90ce3da70b43 Initial load
duke
parents:
diff changeset
   250
.nr f| \n(dn
90ce3da70b43 Initial load
duke
parents:
diff changeset
   251
.nr f- \n(dl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   252
..
90ce3da70b43 Initial load
duke
parents:
diff changeset
   253
.ec \
90ce3da70b43 Initial load
duke
parents:
diff changeset
   254
.eo
90ce3da70b43 Initial load
duke
parents:
diff changeset
   255
.am 84
90ce3da70b43 Initial load
duke
parents:
diff changeset
   256
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   257
.di g+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   258
.35
90ce3da70b43 Initial load
duke
parents:
diff changeset
   259
.ft \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   260
.ll \n(34u*1u/6u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   261
.if \n(.l<\n(84 .ll \n(84u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   262
.in 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   263
Default privileges granted to all code. (1,3)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   264
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   265
.di
90ce3da70b43 Initial load
duke
parents:
diff changeset
   266
.nr g| \n(dn
90ce3da70b43 Initial load
duke
parents:
diff changeset
   267
.nr g- \n(dl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   268
..
90ce3da70b43 Initial load
duke
parents:
diff changeset
   269
.ec \
90ce3da70b43 Initial load
duke
parents:
diff changeset
   270
.eo
90ce3da70b43 Initial load
duke
parents:
diff changeset
   271
.am 84
90ce3da70b43 Initial load
duke
parents:
diff changeset
   272
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   273
.di h+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   274
.35
90ce3da70b43 Initial load
duke
parents:
diff changeset
   275
.ft \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   276
.ll \n(34u*1u/6u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   277
.if \n(.l<\n(84 .ll \n(84u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   278
.in 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   279
Default privileges granted to all code plus privileges granted in policy file.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   280
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   281
.di
90ce3da70b43 Initial load
duke
parents:
diff changeset
   282
.nr h| \n(dn
90ce3da70b43 Initial load
duke
parents:
diff changeset
   283
.nr h- \n(dl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   284
..
90ce3da70b43 Initial load
duke
parents:
diff changeset
   285
.ec \
90ce3da70b43 Initial load
duke
parents:
diff changeset
   286
.eo
90ce3da70b43 Initial load
duke
parents:
diff changeset
   287
.am 84
90ce3da70b43 Initial load
duke
parents:
diff changeset
   288
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   289
.di i+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   290
.35
90ce3da70b43 Initial load
duke
parents:
diff changeset
   291
.ft \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   292
.ll \n(34u*1u/6u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   293
.if \n(.l<\n(84 .ll \n(84u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   294
.in 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   295
Default privileges granted to all code plus privileges granted in policy file. (2)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   296
.br
90ce3da70b43 Initial load
duke
parents:
diff changeset
   297
.di
90ce3da70b43 Initial load
duke
parents:
diff changeset
   298
.nr i| \n(dn
90ce3da70b43 Initial load
duke
parents:
diff changeset
   299
.nr i- \n(dl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   300
..
90ce3da70b43 Initial load
duke
parents:
diff changeset
   301
.ec \
90ce3da70b43 Initial load
duke
parents:
diff changeset
   302
.35
90ce3da70b43 Initial load
duke
parents:
diff changeset
   303
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
   304
.ll \n(34u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   305
.nr 80 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   306
.nr 38 \w\f3JAR File Type\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   307
.if \n(80<\n(38 .nr 80 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   308
.nr 38 \wSigned JAR
90ce3da70b43 Initial load
duke
parents:
diff changeset
   309
.if \n(80<\n(38 .nr 80 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   310
.nr 38 \wUnsigned JAR
90ce3da70b43 Initial load
duke
parents:
diff changeset
   311
.if \n(80<\n(38 .nr 80 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   312
.nr 38 \wSigned JAR
90ce3da70b43 Initial load
duke
parents:
diff changeset
   313
.if \n(80<\n(38 .nr 80 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   314
.nr 38 \wSigned JAR
90ce3da70b43 Initial load
duke
parents:
diff changeset
   315
.if \n(80<\n(38 .nr 80 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   316
.nr 38 \wSigned JAR
90ce3da70b43 Initial load
duke
parents:
diff changeset
   317
.if \n(80<\n(38 .nr 80 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   318
.nr 38 \wSigned JAR
90ce3da70b43 Initial load
duke
parents:
diff changeset
   319
.if \n(80<\n(38 .nr 80 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   320
.nr 38 \wSigned JAR
90ce3da70b43 Initial load
duke
parents:
diff changeset
   321
.if \n(80<\n(38 .nr 80 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   322
.nr 38 \wSigned JAR
90ce3da70b43 Initial load
duke
parents:
diff changeset
   323
.if \n(80<\n(38 .nr 80 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   324
.nr 38 \wSigned JAR
90ce3da70b43 Initial load
duke
parents:
diff changeset
   325
.if \n(80<\n(38 .nr 80 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   326
.nr 38 \wSigned JAR
90ce3da70b43 Initial load
duke
parents:
diff changeset
   327
.if \n(80<\n(38 .nr 80 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   328
.80
90ce3da70b43 Initial load
duke
parents:
diff changeset
   329
.rm 80
90ce3da70b43 Initial load
duke
parents:
diff changeset
   330
.nr 81 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   331
.nr 38 \w\f3Identity in 1.1 database\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   332
.if \n(81<\n(38 .nr 81 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   333
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   334
.if \n(81<\n(38 .nr 81 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   335
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   336
.if \n(81<\n(38 .nr 81 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   337
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   338
.if \n(81<\n(38 .nr 81 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   339
.nr 38 \wYES/Untrusted
90ce3da70b43 Initial load
duke
parents:
diff changeset
   340
.if \n(81<\n(38 .nr 81 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   341
.nr 38 \wYES/Untrusted
90ce3da70b43 Initial load
duke
parents:
diff changeset
   342
.if \n(81<\n(38 .nr 81 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   343
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   344
.if \n(81<\n(38 .nr 81 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   345
.nr 38 \wYES/Trusted
90ce3da70b43 Initial load
duke
parents:
diff changeset
   346
.if \n(81<\n(38 .nr 81 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   347
.nr 38 \wYES/Trusted
90ce3da70b43 Initial load
duke
parents:
diff changeset
   348
.if \n(81<\n(38 .nr 81 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   349
.nr 38 \wYES/Trusted
90ce3da70b43 Initial load
duke
parents:
diff changeset
   350
.if \n(81<\n(38 .nr 81 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   351
.nr 38 \wYES/Trusted
90ce3da70b43 Initial load
duke
parents:
diff changeset
   352
.if \n(81<\n(38 .nr 81 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   353
.81
90ce3da70b43 Initial load
duke
parents:
diff changeset
   354
.rm 81
90ce3da70b43 Initial load
duke
parents:
diff changeset
   355
.nr 82 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   356
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   357
.if \n(82<\n(38 .nr 82 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   358
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   359
.if \n(82<\n(38 .nr 82 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   360
.nr 38 \wYES
90ce3da70b43 Initial load
duke
parents:
diff changeset
   361
.if \n(82<\n(38 .nr 82 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   362
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   363
.if \n(82<\n(38 .nr 82 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   364
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   365
.if \n(82<\n(38 .nr 82 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   366
.nr 38 \wYES
90ce3da70b43 Initial load
duke
parents:
diff changeset
   367
.if \n(82<\n(38 .nr 82 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   368
.nr 38 \wYES
90ce3da70b43 Initial load
duke
parents:
diff changeset
   369
.if \n(82<\n(38 .nr 82 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   370
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   371
.if \n(82<\n(38 .nr 82 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   372
.nr 38 \wYES
90ce3da70b43 Initial load
duke
parents:
diff changeset
   373
.if \n(82<\n(38 .nr 82 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   374
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   375
.if \n(82<\n(38 .nr 82 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   376
.82
90ce3da70b43 Initial load
duke
parents:
diff changeset
   377
.rm 82
90ce3da70b43 Initial load
duke
parents:
diff changeset
   378
.nr 38 \n(a-
90ce3da70b43 Initial load
duke
parents:
diff changeset
   379
.if \n(82<\n(38 .nr 82 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   380
.nr 83 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   381
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   382
.if \n(83<\n(38 .nr 83 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   383
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   384
.if \n(83<\n(38 .nr 83 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   385
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   386
.if \n(83<\n(38 .nr 83 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   387
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   388
.if \n(83<\n(38 .nr 83 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   389
.nr 38 \wYES
90ce3da70b43 Initial load
duke
parents:
diff changeset
   390
.if \n(83<\n(38 .nr 83 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   391
.nr 38 \wYES
90ce3da70b43 Initial load
duke
parents:
diff changeset
   392
.if \n(83<\n(38 .nr 83 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   393
.nr 38 \wYES
90ce3da70b43 Initial load
duke
parents:
diff changeset
   394
.if \n(83<\n(38 .nr 83 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   395
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   396
.if \n(83<\n(38 .nr 83 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   397
.nr 38 \wNO
90ce3da70b43 Initial load
duke
parents:
diff changeset
   398
.if \n(83<\n(38 .nr 83 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   399
.nr 38 \wYES
90ce3da70b43 Initial load
duke
parents:
diff changeset
   400
.if \n(83<\n(38 .nr 83 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   401
.83
90ce3da70b43 Initial load
duke
parents:
diff changeset
   402
.rm 83
90ce3da70b43 Initial load
duke
parents:
diff changeset
   403
.nr 38 \n(b-
90ce3da70b43 Initial load
duke
parents:
diff changeset
   404
.if \n(83<\n(38 .nr 83 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   405
.nr 84 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   406
.nr 38 \w\f3Privileges Granted\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   407
.if \n(84<\n(38 .nr 84 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   408
.nr 38 \wAll privileges
90ce3da70b43 Initial load
duke
parents:
diff changeset
   409
.if \n(84<\n(38 .nr 84 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   410
.nr 38 \wAll privileges (1)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   411
.if \n(84<\n(38 .nr 84 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   412
.nr 38 \wAll privileges (1)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   413
.if \n(84<\n(38 .nr 84 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   414
.84
90ce3da70b43 Initial load
duke
parents:
diff changeset
   415
.rm 84
90ce3da70b43 Initial load
duke
parents:
diff changeset
   416
.nr 38 \n(c-
90ce3da70b43 Initial load
duke
parents:
diff changeset
   417
.if \n(84<\n(38 .nr 84 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   418
.nr 38 \n(d-
90ce3da70b43 Initial load
duke
parents:
diff changeset
   419
.if \n(84<\n(38 .nr 84 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   420
.nr 38 \n(e-
90ce3da70b43 Initial load
duke
parents:
diff changeset
   421
.if \n(84<\n(38 .nr 84 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   422
.nr 38 \n(f-
90ce3da70b43 Initial load
duke
parents:
diff changeset
   423
.if \n(84<\n(38 .nr 84 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   424
.nr 38 \n(g-
90ce3da70b43 Initial load
duke
parents:
diff changeset
   425
.if \n(84<\n(38 .nr 84 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   426
.nr 38 \n(h-
90ce3da70b43 Initial load
duke
parents:
diff changeset
   427
.if \n(84<\n(38 .nr 84 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   428
.nr 38 \n(i-
90ce3da70b43 Initial load
duke
parents:
diff changeset
   429
.if \n(84<\n(38 .nr 84 \n(38
90ce3da70b43 Initial load
duke
parents:
diff changeset
   430
.35
90ce3da70b43 Initial load
duke
parents:
diff changeset
   431
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
   432
.ll \n(34u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   433
.nr 38 1n
90ce3da70b43 Initial load
duke
parents:
diff changeset
   434
.nr 79 0
90ce3da70b43 Initial load
duke
parents:
diff changeset
   435
.nr 40 \n(79+(0*\n(38)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   436
.nr 80 +\n(40
90ce3da70b43 Initial load
duke
parents:
diff changeset
   437
.nr 41 \n(80+(3*\n(38)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   438
.nr 81 +\n(41
90ce3da70b43 Initial load
duke
parents:
diff changeset
   439
.nr 42 \n(81+(3*\n(38)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   440
.nr 82 +\n(42
90ce3da70b43 Initial load
duke
parents:
diff changeset
   441
.nr 43 \n(82+(3*\n(38)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   442
.nr 83 +\n(43
90ce3da70b43 Initial load
duke
parents:
diff changeset
   443
.nr 44 \n(83+(3*\n(38)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   444
.nr 84 +\n(44
90ce3da70b43 Initial load
duke
parents:
diff changeset
   445
.nr TW \n(84
90ce3da70b43 Initial load
duke
parents:
diff changeset
   446
.if t .if \n(TW>\n(.li .tm Table at line 161 file Input is too wide - \n(TW units
90ce3da70b43 Initial load
duke
parents:
diff changeset
   447
.fc  
90ce3da70b43 Initial load
duke
parents:
diff changeset
   448
.nr #T 0-1
90ce3da70b43 Initial load
duke
parents:
diff changeset
   449
.nr #a 0-1
90ce3da70b43 Initial load
duke
parents:
diff changeset
   450
.eo
90ce3da70b43 Initial load
duke
parents:
diff changeset
   451
.de T#
90ce3da70b43 Initial load
duke
parents:
diff changeset
   452
.ds #d .d
90ce3da70b43 Initial load
duke
parents:
diff changeset
   453
.if \(ts\n(.z\(ts\(ts .ds #d nl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   454
.mk ##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   455
.nr ## -1v
90ce3da70b43 Initial load
duke
parents:
diff changeset
   456
.ls 1
90ce3da70b43 Initial load
duke
parents:
diff changeset
   457
.ls
90ce3da70b43 Initial load
duke
parents:
diff changeset
   458
..
90ce3da70b43 Initial load
duke
parents:
diff changeset
   459
.ec
90ce3da70b43 Initial load
duke
parents:
diff changeset
   460
.ne \n(a|u+\n(.Vu
90ce3da70b43 Initial load
duke
parents:
diff changeset
   461
.ne \n(b|u+\n(.Vu
90ce3da70b43 Initial load
duke
parents:
diff changeset
   462
.if (\n(a|+\n(#^-1v)>\n(#- .nr #- +(\n(a|+\n(#^-\n(#--1v)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   463
.if (\n(b|+\n(#^-1v)>\n(#- .nr #- +(\n(b|+\n(#^-\n(#--1v)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   464
.ta \n(80u \n(81u \n(82u \n(83u \n(84u 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   465
.nr 31 \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   466
.nr 35 1m
90ce3da70b43 Initial load
duke
parents:
diff changeset
   467
\&\h'|\n(40u'\f3JAR File Type\fP\h'|\n(41u'\f3Identity in 1.1 database\fP\h'|\n(42u'\h'|\n(43u'\h'|\n(44u'\f3Privileges Granted\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   468
.mk ##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   469
.nr 31 \n(##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   470
.sp |\n(##u-1v
90ce3da70b43 Initial load
duke
parents:
diff changeset
   471
.nr 37 \n(42u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   472
.in +\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   473
.a+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   474
.in -\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   475
.mk 32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   476
.if \n(32>\n(31 .nr 31 \n(32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   477
.sp |\n(##u-1v
90ce3da70b43 Initial load
duke
parents:
diff changeset
   478
.nr 37 \n(43u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   479
.in +\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   480
.b+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   481
.in -\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   482
.mk 32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   483
.if \n(32>\n(31 .nr 31 \n(32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   484
.sp |\n(31u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   485
.ne \n(c|u+\n(.Vu
90ce3da70b43 Initial load
duke
parents:
diff changeset
   486
.if (\n(c|+\n(#^-1v)>\n(#- .nr #- +(\n(c|+\n(#^-\n(#--1v)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   487
.ta \n(80u \n(81u \n(82u \n(83u \n(84u 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   488
.nr 31 \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   489
.nr 35 1m
90ce3da70b43 Initial load
duke
parents:
diff changeset
   490
\&\h'|\n(40u'Signed JAR\h'|\n(41u'NO\h'|\n(42u'NO\h'|\n(43u'NO\h'|\n(44u'
90ce3da70b43 Initial load
duke
parents:
diff changeset
   491
.mk ##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   492
.nr 31 \n(##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   493
.sp |\n(##u-1v
90ce3da70b43 Initial load
duke
parents:
diff changeset
   494
.nr 37 \n(44u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   495
.in +\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   496
.c+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   497
.in -\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   498
.mk 32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   499
.if \n(32>\n(31 .nr 31 \n(32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   500
.sp |\n(31u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   501
.ne \n(d|u+\n(.Vu
90ce3da70b43 Initial load
duke
parents:
diff changeset
   502
.if (\n(d|+\n(#^-1v)>\n(#- .nr #- +(\n(d|+\n(#^-\n(#--1v)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   503
.ta \n(80u \n(81u \n(82u \n(83u \n(84u 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   504
.nr 31 \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   505
.nr 35 1m
90ce3da70b43 Initial load
duke
parents:
diff changeset
   506
\&\h'|\n(40u'Unsigned JAR\h'|\n(41u'NO\h'|\n(42u'NO\h'|\n(43u'NO\h'|\n(44u'
90ce3da70b43 Initial load
duke
parents:
diff changeset
   507
.mk ##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   508
.nr 31 \n(##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   509
.sp |\n(##u-1v
90ce3da70b43 Initial load
duke
parents:
diff changeset
   510
.nr 37 \n(44u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   511
.in +\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   512
.d+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   513
.in -\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   514
.mk 32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   515
.if \n(32>\n(31 .nr 31 \n(32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   516
.sp |\n(31u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   517
.ne \n(e|u+\n(.Vu
90ce3da70b43 Initial load
duke
parents:
diff changeset
   518
.if (\n(e|+\n(#^-1v)>\n(#- .nr #- +(\n(e|+\n(#^-\n(#--1v)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   519
.ta \n(80u \n(81u \n(82u \n(83u \n(84u 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   520
.nr 31 \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   521
.nr 35 1m
90ce3da70b43 Initial load
duke
parents:
diff changeset
   522
\&\h'|\n(40u'Signed JAR\h'|\n(41u'NO\h'|\n(42u'YES\h'|\n(43u'NO\h'|\n(44u'
90ce3da70b43 Initial load
duke
parents:
diff changeset
   523
.mk ##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   524
.nr 31 \n(##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   525
.sp |\n(##u-1v
90ce3da70b43 Initial load
duke
parents:
diff changeset
   526
.nr 37 \n(44u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   527
.in +\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   528
.e+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   529
.in -\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   530
.mk 32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   531
.if \n(32>\n(31 .nr 31 \n(32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   532
.sp |\n(31u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   533
.ne \n(f|u+\n(.Vu
90ce3da70b43 Initial load
duke
parents:
diff changeset
   534
.if (\n(f|+\n(#^-1v)>\n(#- .nr #- +(\n(f|+\n(#^-\n(#--1v)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   535
.ta \n(80u \n(81u \n(82u \n(83u \n(84u 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   536
.nr 31 \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   537
.nr 35 1m
90ce3da70b43 Initial load
duke
parents:
diff changeset
   538
\&\h'|\n(40u'Signed JAR\h'|\n(41u'YES/Untrusted\h'|\n(42u'NO\h'|\n(43u'NO\h'|\n(44u'
90ce3da70b43 Initial load
duke
parents:
diff changeset
   539
.mk ##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   540
.nr 31 \n(##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   541
.sp |\n(##u-1v
90ce3da70b43 Initial load
duke
parents:
diff changeset
   542
.nr 37 \n(44u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   543
.in +\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   544
.f+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   545
.in -\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   546
.mk 32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   547
.if \n(32>\n(31 .nr 31 \n(32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   548
.sp |\n(31u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   549
.ne \n(g|u+\n(.Vu
90ce3da70b43 Initial load
duke
parents:
diff changeset
   550
.if (\n(g|+\n(#^-1v)>\n(#- .nr #- +(\n(g|+\n(#^-\n(#--1v)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   551
.ta \n(80u \n(81u \n(82u \n(83u \n(84u 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   552
.nr 31 \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   553
.nr 35 1m
90ce3da70b43 Initial load
duke
parents:
diff changeset
   554
\&\h'|\n(40u'Signed JAR\h'|\n(41u'YES/Untrusted\h'|\n(42u'NO\h'|\n(43u'YES\h'|\n(44u'
90ce3da70b43 Initial load
duke
parents:
diff changeset
   555
.mk ##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   556
.nr 31 \n(##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   557
.sp |\n(##u-1v
90ce3da70b43 Initial load
duke
parents:
diff changeset
   558
.nr 37 \n(44u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   559
.in +\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   560
.g+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   561
.in -\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   562
.mk 32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   563
.if \n(32>\n(31 .nr 31 \n(32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   564
.sp |\n(31u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   565
.ne \n(h|u+\n(.Vu
90ce3da70b43 Initial load
duke
parents:
diff changeset
   566
.if (\n(h|+\n(#^-1v)>\n(#- .nr #- +(\n(h|+\n(#^-\n(#--1v)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   567
.ta \n(80u \n(81u \n(82u \n(83u \n(84u 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   568
.nr 31 \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   569
.nr 35 1m
90ce3da70b43 Initial load
duke
parents:
diff changeset
   570
\&\h'|\n(40u'Signed JAR\h'|\n(41u'NO\h'|\n(42u'YES\h'|\n(43u'YES\h'|\n(44u'
90ce3da70b43 Initial load
duke
parents:
diff changeset
   571
.mk ##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   572
.nr 31 \n(##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   573
.sp |\n(##u-1v
90ce3da70b43 Initial load
duke
parents:
diff changeset
   574
.nr 37 \n(44u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   575
.in +\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   576
.h+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   577
.in -\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   578
.mk 32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   579
.if \n(32>\n(31 .nr 31 \n(32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   580
.sp |\n(31u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   581
.ne \n(i|u+\n(.Vu
90ce3da70b43 Initial load
duke
parents:
diff changeset
   582
.if (\n(i|+\n(#^-1v)>\n(#- .nr #- +(\n(i|+\n(#^-\n(#--1v)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   583
.ta \n(80u \n(81u \n(82u \n(83u \n(84u 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   584
.nr 31 \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   585
.nr 35 1m
90ce3da70b43 Initial load
duke
parents:
diff changeset
   586
\&\h'|\n(40u'Signed JAR\h'|\n(41u'YES/Trusted\h'|\n(42u'YES\h'|\n(43u'YES\h'|\n(44u'
90ce3da70b43 Initial load
duke
parents:
diff changeset
   587
.mk ##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   588
.nr 31 \n(##
90ce3da70b43 Initial load
duke
parents:
diff changeset
   589
.sp |\n(##u-1v
90ce3da70b43 Initial load
duke
parents:
diff changeset
   590
.nr 37 \n(44u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   591
.in +\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   592
.i+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   593
.in -\n(37u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   594
.mk 32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   595
.if \n(32>\n(31 .nr 31 \n(32
90ce3da70b43 Initial load
duke
parents:
diff changeset
   596
.sp |\n(31u
90ce3da70b43 Initial load
duke
parents:
diff changeset
   597
.ta \n(80u \n(81u \n(82u \n(83u \n(84u 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   598
.nr 31 \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   599
.nr 35 1m
90ce3da70b43 Initial load
duke
parents:
diff changeset
   600
\&\h'|\n(40u'Signed JAR\h'|\n(41u'YES/Trusted\h'|\n(42u'NO\h'|\n(43u'NO\h'|\n(44u'All privileges
90ce3da70b43 Initial load
duke
parents:
diff changeset
   601
.ta \n(80u \n(81u \n(82u \n(83u \n(84u 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   602
.nr 31 \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   603
.nr 35 1m
90ce3da70b43 Initial load
duke
parents:
diff changeset
   604
\&\h'|\n(40u'Signed JAR\h'|\n(41u'YES/Trusted\h'|\n(42u'YES\h'|\n(43u'NO\h'|\n(44u'All privileges (1)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   605
.ta \n(80u \n(81u \n(82u \n(83u \n(84u 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   606
.nr 31 \n(.f
90ce3da70b43 Initial load
duke
parents:
diff changeset
   607
.nr 35 1m
90ce3da70b43 Initial load
duke
parents:
diff changeset
   608
\&\h'|\n(40u'Signed JAR\h'|\n(41u'YES/Trusted\h'|\n(42u'NO\h'|\n(43u'YES\h'|\n(44u'All privileges (1)
90ce3da70b43 Initial load
duke
parents:
diff changeset
   609
.fc
90ce3da70b43 Initial load
duke
parents:
diff changeset
   610
.nr T. 1
90ce3da70b43 Initial load
duke
parents:
diff changeset
   611
.T# 1
90ce3da70b43 Initial load
duke
parents:
diff changeset
   612
.35
90ce3da70b43 Initial load
duke
parents:
diff changeset
   613
.rm a+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   614
.rm b+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   615
.rm c+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   616
.rm d+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   617
.rm e+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   618
.rm f+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   619
.rm g+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   620
.rm h+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   621
.rm i+
90ce3da70b43 Initial load
duke
parents:
diff changeset
   622
.TE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   623
.if \n-(b.=0 .nr c. \n(.c-\n(d.-42
90ce3da70b43 Initial load
duke
parents:
diff changeset
   624
90ce3da70b43 Initial load
duke
parents:
diff changeset
   625
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   626
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   627
Notes:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   628
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   629
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   630
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   631
1.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   632
If an identity/alias is mentioned in the policy file, it must be imported into the keystore for the policy file to have any effect on privileges granted. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   633
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   634
2.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   635
The policy file/keystore combination has precedence over a trusted identity in the identity database. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   636
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   637
3.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   638
Untrusted identities are ignored in the Java 2 platform. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   639
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   640
4.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   641
Only trusted identities can be imported into Java 2 SDK keystores. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   642
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   643
90ce3da70b43 Initial load
duke
parents:
diff changeset
   644
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   645
.SS 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   646
Keystore Aliases
90ce3da70b43 Initial load
duke
parents:
diff changeset
   647
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   648
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   649
90ce3da70b43 Initial load
duke
parents:
diff changeset
   650
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   651
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   652
All keystore entities are accessed via unique \f2aliases\fP.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   653
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   654
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   655
When using \f3jarsigner\fP to sign a JAR file, you must specify the alias for the keystore entry containing the private key needed to generate the signature. For example, the following will sign the JAR file named "MyJARFile.jar", using the private key associated with the alias "duke" in the keystore named "mystore" in the "working" directory. Since no output file is specified, it overwrites MyJARFile.jar with the signed JAR file.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   656
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   657
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
   658
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   659
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   660
    jarsigner \-keystore /working/mystore \-storepass myspass
90ce3da70b43 Initial load
duke
parents:
diff changeset
   661
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   662
      \-keypass dukekeypasswd MyJARFile.jar duke 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   663
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   664
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   665
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
   666
90ce3da70b43 Initial load
duke
parents:
diff changeset
   667
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   668
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   669
Keystores are protected with a password, so the store password (in this case "myspass") must be specified. You will be prompted for it if you don't specify it on the command line. Similarly, private keys are protected in a keystore with a password, so the private key's password (in this case "dukekeypasswd") must be specified, and you will be prompted for it if you don't specify it on the command line and it isn't the same as the store password.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   670
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   671
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   672
.SS 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   673
Keystore Location
90ce3da70b43 Initial load
duke
parents:
diff changeset
   674
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   675
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   676
90ce3da70b43 Initial load
duke
parents:
diff changeset
   677
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   678
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   679
\f3jarsigner\fP has a \f2\-keystore\fP option for specifying the URL of the keystore to be used. The keystore is by default stored in a file named \f2.keystore\fP in the user's home directory, as determined by the \f2user.home\fP system property. On Solaris systems \f2user.home\fP defaults to the user's home directory.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   680
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   681
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   682
Note that the input stream from the \f2\-keystore\fP option is passed to the \f2KeyStore.load\fP method. If \f2NONE\fP is specified as the URL, then a null stream is passed to the \f2KeyStore.load\fP method. \f2NONE\fP should be specified if the \f2KeyStore\fP is not file\-based, for example, if it resides on a hardware token device.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   683
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   684
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   685
.SS 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   686
Keystore Implementation
90ce3da70b43 Initial load
duke
parents:
diff changeset
   687
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   688
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   689
90ce3da70b43 Initial load
duke
parents:
diff changeset
   690
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   691
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   692
The \f2KeyStore\fP class provided in the \f2java.security\fP package supplies well\-defined interfaces to access and modify the information in a keystore. It is possible for there to be multiple different concrete implementations, where each implementation is that for a particular \f2type\fP of keystore.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   693
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   694
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   695
Currently, there are two command\-line tools that make use of keystore implementations (\f3keytool\fP and \f3jarsigner\fP), and also a GUI\-based tool named \f3Policy Tool\fP. Since \f2KeyStore\fP is publicly available, Java 2 SDK users can write additional security applications that use it.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   696
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   697
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   698
There is a built\-in default implementation, provided by Sun Microsystems. It implements the keystore as a file, utilizing a proprietary keystore type (format) named "JKS". It protects each private key with its individual password, and also protects the integrity of the entire keystore with a (possibly different) password.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   699
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   700
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   701
Keystore implementations are provider\-based. More specifically, the application interfaces supplied by \f2KeyStore\fP are implemented in terms of a "Service Provider Interface" (SPI). That is, there is a corresponding abstract \f2KeystoreSpi\fP class, also in the \f2java.security\fP package, which defines the Service Provider Interface methods that "providers" must implement. (The term "provider" refers to a package or a set of packages that supply a concrete implementation of a subset of services that can be accessed by the Java Security API.) Thus, to provide a keystore implementation, clients must implement a provider and supply a KeystoreSpi subclass implementation, as described in 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   702
.na
90ce3da70b43 Initial load
duke
parents:
diff changeset
   703
\f2How to Implement a Provider for the Java Cryptography Architecture\fP @
90ce3da70b43 Initial load
duke
parents:
diff changeset
   704
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
   705
http://java.sun.com/javase/6/docs/technotes/guides/security/HowToImplAProvider.html.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   706
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   707
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   708
Applications can choose different \f2types\fP of keystore implementations from different providers, using the "getInstance" factory method supplied in the \f2KeyStore\fP class. A keystore type defines the storage and data format of the keystore information, and the algorithms used to protect private keys in the keystore and the integrity of the keystore itself. Keystore implementations of different types are not compatible.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   709
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   710
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   711
\f3keytool\fP works on any file\-based keystore implementation. (It treats the keytore location that is passed to it at the command line as a filename and converts it to a FileInputStream, from which it loads the keystore information.) The \f3jarsigner\fP and \f3policytool\fP tools, on the other hand, can read a keystore from any location that can be specified using a URL.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   712
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   713
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   714
For \f3jarsigner\fP and \f3keytool\fP, you can specify a keystore type at the command line, via the \f2\-storetype\fP option. For \f3Policy Tool\fP, you can specify a keystore type via the "Change Keystore" command in the Edit menu.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   715
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   716
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   717
If you don't explicitly specify a keystore type, the tools choose a keystore implementation based simply on the value of the \f2keystore.type\fP property specified in the security properties file. The security properties file is called \f2java.security\fP, and it resides in the SDK security properties directory, \f2java.home\fP/lib/security, where \f2java.home\fP is the runtime environment's directory (the \f2jre\fP directory in the SDK or the top\-level directory of the Java 2 Runtime Environment).
90ce3da70b43 Initial load
duke
parents:
diff changeset
   718
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   719
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   720
Each tool gets the \f2keystore.type\fP value and then examines all the currently\-installed providers until it finds one that implements keystores of that type. It then uses the keystore implementation from that provider.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   721
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   722
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   723
The \f2KeyStore\fP class defines a static method named \f2getDefaultType\fP that lets applications and applets retrieve the value of the \f2keystore.type\fP property. The following line of code creates an instance of the default keystore type (as specified in the \f2keystore.type\fP property):
90ce3da70b43 Initial load
duke
parents:
diff changeset
   724
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   725
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
   726
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   727
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   728
    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
90ce3da70b43 Initial load
duke
parents:
diff changeset
   729
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   730
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   731
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
   732
90ce3da70b43 Initial load
duke
parents:
diff changeset
   733
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   734
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   735
The default keystore type is "jks" (the proprietary type of the keystore implementation provided by Sun). This is specified by the following line in the security properties file:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   736
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   737
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
   738
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   739
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   740
    keystore.type=jks
90ce3da70b43 Initial load
duke
parents:
diff changeset
   741
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   742
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   743
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
   744
90ce3da70b43 Initial load
duke
parents:
diff changeset
   745
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   746
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   747
Note: Case doesn't matter in keystore type designations. For example, "JKS" would be considered the same as "jks".
90ce3da70b43 Initial load
duke
parents:
diff changeset
   748
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   749
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   750
To have the tools utilize a keystore implementation other than the default, change that line to specify a different keystore type. For example, if you have a provider package that supplies a keystore implementation for a keystore type called "pkcs12", change the line to
90ce3da70b43 Initial load
duke
parents:
diff changeset
   751
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   752
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
   753
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   754
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   755
    keystore.type=pkcs12
90ce3da70b43 Initial load
duke
parents:
diff changeset
   756
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   757
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   758
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
   759
90ce3da70b43 Initial load
duke
parents:
diff changeset
   760
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   761
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   762
Note that if you us the PKCS#11 provider package, you should refer to the 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   763
.na
90ce3da70b43 Initial load
duke
parents:
diff changeset
   764
\f2KeyTool and JarSigner\fP @
90ce3da70b43 Initial load
duke
parents:
diff changeset
   765
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
   766
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#keytooljarsigner section of the Java PKCS#11 Reference Guide for details.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   767
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   768
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   769
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   770
.SS 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   771
Supported Algorithms
90ce3da70b43 Initial load
duke
parents:
diff changeset
   772
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   773
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   774
90ce3da70b43 Initial load
duke
parents:
diff changeset
   775
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   776
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   777
By default, \f3jarsigner\fP signs a JAR file using either
90ce3da70b43 Initial load
duke
parents:
diff changeset
   778
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   779
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   780
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   781
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   782
DSA (Digital Signature Algorithm) with the SHA\-1 digest algorithm, or 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   783
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   784
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   785
the RSA algorithm with the MD5 digest algorithm. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   786
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   787
90ce3da70b43 Initial load
duke
parents:
diff changeset
   788
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   789
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   790
That is, if the signer's public and private keys are DSA keys, \f3jarsigner\fP will sign the JAR file using the "SHA1withDSA" algorithm. If the signer's keys are RSA keys, \f3jarsigner\fP will attempt to sign the JAR file using the "MD5withRSA" algorithm.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   791
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   792
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   793
These default signature algorithms can be overridden using the \f2\-sigalg\fP option.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   794
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   795
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   796
.SS 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   797
The Signed JAR File
90ce3da70b43 Initial load
duke
parents:
diff changeset
   798
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   799
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   800
90ce3da70b43 Initial load
duke
parents:
diff changeset
   801
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   802
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   803
When \f3jarsigner\fP is used to sign a JAR file, the output signed JAR file is exactly the same as the input JAR file, except that it has two additional files placed in the META\-INF directory:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   804
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   805
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   806
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   807
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   808
a signature file, with a .SF extension, and 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   809
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   810
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   811
a signature block file, with a .DSA extension. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   812
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   813
90ce3da70b43 Initial load
duke
parents:
diff changeset
   814
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   815
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   816
The base file names for these two files come from the value of the \f2\-sigFile\fP option. For example, if the option appears as
90ce3da70b43 Initial load
duke
parents:
diff changeset
   817
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   818
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
   819
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   820
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   821
  \-sigFile MKSIGN
90ce3da70b43 Initial load
duke
parents:
diff changeset
   822
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   823
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   824
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
   825
90ce3da70b43 Initial load
duke
parents:
diff changeset
   826
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   827
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   828
the files are named "MKSIGN.SF" and "MKSIGN.DSA".
90ce3da70b43 Initial load
duke
parents:
diff changeset
   829
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   830
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   831
If no \f2\-sigfile\fP option appears on the command line, the base file name for the .SF and .DSA files will be the first 8 characters of the alias name specified on the command line, all converted to upper case. If the alias name has fewer than 8 characters, the full alias name is used. If the alias name contains any characters that are not allowed in a signature file name, each such character is converted to an underscore ("_") character in forming the file name. Legal characters include letters, digits, underscores, and hyphens.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   832
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   833
\f3The Signature (.SF) File\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   834
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   835
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   836
90ce3da70b43 Initial load
duke
parents:
diff changeset
   837
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   838
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   839
A signature file (the .SF file) looks similar to the manifest file that is always included in a JAR file when \f3jarsigner\fP is used to sign the file. That is, for each source file included in the JAR file, the .SF file has three lines, just as in the manifest file, listing the following:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   840
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   841
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   842
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   843
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   844
the file name, 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   845
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   846
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   847
the name of the digest algorithm used (SHA), and 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   848
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   849
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   850
a SHA digest value. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   851
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   852
90ce3da70b43 Initial load
duke
parents:
diff changeset
   853
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   854
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   855
In the manifest file, the SHA digest value for each source file is the digest (hash) of the binary data in the source file. In the .SF file, on the other hand, the digest value for a given source file is the hash of the three lines in the manifest file for the source file.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   856
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   857
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   858
The signature file also, by default, includes a header containing a hash of the whole manifest file. The presence of the header enables verification optimization, as described in JAR File Verification.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   859
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   860
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   861
\f3The Signature Block (.DSA) File\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   862
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   863
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   864
90ce3da70b43 Initial load
duke
parents:
diff changeset
   865
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   866
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   867
The .SF file is signed and the signature is placed in the .DSA file. The .DSA file also contains, encoded inside it, the certificate or certificate chain from the keystore which authenticates the public key corresponding to the private key used for signing.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   868
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   869
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   870
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   871
.SS 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   872
Signature Timestamp
90ce3da70b43 Initial load
duke
parents:
diff changeset
   873
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   874
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   875
90ce3da70b43 Initial load
duke
parents:
diff changeset
   876
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   877
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   878
As of the J2SE 5.0 release, the \f2jarsigner\fP tool can now generate and store a signature timestamp when signing a JAR file. In addition, \f2jarsigner\fP supports alternative signing mechanisms. This behavior is optional and is controlled by the user at the time of signing through these options:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   879
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   880
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   881
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   882
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   883
\f2\-tsa url\fP 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   884
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   885
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   886
\f2\-tsacert alias\fP 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   887
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   888
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   889
\f2\-altsigner class\fP 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   890
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   891
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   892
\f2\-altsignerpath classpathlist\fP 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   893
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   894
90ce3da70b43 Initial load
duke
parents:
diff changeset
   895
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   896
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   897
Each of these options is detailed in the Options section below.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   898
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   899
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   900
.SS 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   901
JAR File Verification
90ce3da70b43 Initial load
duke
parents:
diff changeset
   902
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   903
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   904
90ce3da70b43 Initial load
duke
parents:
diff changeset
   905
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   906
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   907
A successful JAR file verification occurs if the signature(s) are valid, and none of the files that were in the JAR file when the signatures were generated have been changed since then. JAR file verification involves the following steps:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   908
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   909
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   910
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   911
1.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   912
Verify the signature of the .SF file itself. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   913
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   914
That is, the verification ensures that the signature stored in each signature block (.DSA) file was in fact generated using the private key corresponding to the public key whose certificate (or certificate chain) also appears in the .DSA file. It also ensures that the signature is a valid signature of the corresponding signature (.SF) file, and thus the .SF file has not been tampered with.  
90ce3da70b43 Initial load
duke
parents:
diff changeset
   915
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   916
2.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   917
Verify the digest listed in each entry in the .SF file with each corresponding section in the manifest. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   918
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   919
The .SF file by default includes a header containing a hash of the entire manifest file. When the header is present, then the verification can check to see whether or not the hash in the header indeed matches the hash of the manifest file. If that is the case, verification proceeds to the next step. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   920
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   921
If that is not the case, a less optimized verification is required to ensure that the hash in each source file information section in the .SF file equals the hash of its corresponding section in the manifest file (see The Signature (.SF) File). 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   922
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   923
One reason the hash of the manifest file that is stored in the .SF file header may not equal the hash of the current manifest file would be because one or more files were added to the JAR file (using the \f2jar\fP tool) after the signature (and thus the .SF file) was generated. When the \f2jar\fP tool is used to add files, the manifest file is changed (sections are added to it for the new files), but the .SF file is not. A verification is still considered successful if none of the files that were in the JAR file when the signature was generated have been changed since then, which is the case if the hashes in the non\-header sections of the .SF file equal the hashes of the corresponding sections in the manifest file.  
90ce3da70b43 Initial load
duke
parents:
diff changeset
   924
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   925
3.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   926
Read each file in the JAR file that has an entry in the .SF file. While reading, compute the file's digest, and then compare the result with the digest for this file in the manifest section. The digests should be the same, or verification fails. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   927
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   928
90ce3da70b43 Initial load
duke
parents:
diff changeset
   929
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   930
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   931
If any serious verification failures occur during the verification process, the process is stopped and a security exception is thrown. It is caught and displayed by \f3jarsigner\fP.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   932
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   933
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   934
.SS 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   935
Multiple Signatures for a JAR File
90ce3da70b43 Initial load
duke
parents:
diff changeset
   936
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   937
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   938
90ce3da70b43 Initial load
duke
parents:
diff changeset
   939
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   940
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   941
A JAR file can be signed by multiple people simply by running the \f3jarsigner\fP tool on the file multiple times, specifying the alias for a different person each time, as in:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   942
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   943
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
   944
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   945
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   946
  jarsigner myBundle.jar susan
90ce3da70b43 Initial load
duke
parents:
diff changeset
   947
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   948
  jarsigner myBundle.jar kevin
90ce3da70b43 Initial load
duke
parents:
diff changeset
   949
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   950
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   951
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
   952
90ce3da70b43 Initial load
duke
parents:
diff changeset
   953
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   954
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   955
When a JAR file is signed multiple times, there are multiple .SF and .DSA files in the resulting JAR file, one pair for each signature. Thus, in the example above, the output JAR file includes files with the following names:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   956
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   957
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
   958
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   959
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   960
  SUSAN.SF
90ce3da70b43 Initial load
duke
parents:
diff changeset
   961
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   962
  SUSAN.DSA
90ce3da70b43 Initial load
duke
parents:
diff changeset
   963
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   964
  KEVIN.SF
90ce3da70b43 Initial load
duke
parents:
diff changeset
   965
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   966
  KEVIN.DSA
90ce3da70b43 Initial load
duke
parents:
diff changeset
   967
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
   968
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   969
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
   970
90ce3da70b43 Initial load
duke
parents:
diff changeset
   971
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   972
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   973
Note: It is also possible for a JAR file to have mixed signatures, some generated by the JDK 1.1 \f3javakey\fP tool and others by \f3jarsigner\fP. That is, \f3jarsigner\fP can be used to sign JAR files already previously signed using \f3javakey\fP.
90ce3da70b43 Initial load
duke
parents:
diff changeset
   974
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   975
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   976
.SH "OPTIONS"
90ce3da70b43 Initial load
duke
parents:
diff changeset
   977
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   978
90ce3da70b43 Initial load
duke
parents:
diff changeset
   979
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   980
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   981
The various \f3jarsigner\fP options are listed and described below. Note:
90ce3da70b43 Initial load
duke
parents:
diff changeset
   982
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   983
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
   984
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   985
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   986
All option names are preceded by a minus sign (\-). 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   987
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   988
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   989
The options may be provided in any order. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   990
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   991
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   992
Items in italics (option values) represent the actual values that must be supplied. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   993
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
   994
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
   995
The \f2\-keystore\fP, \f2\-storepass\fP, \f2\-keypass\fP, \f2\-sigfile\fP, \f2\-sigalg\fP, \f2\-digestalg\fP, and \f2\-signedjar\fP options are only relevant when signing a JAR file, not when verifying a signed JAR file. Similarly, an alias is only specified on the command line when signing a JAR file. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
   996
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
   997
90ce3da70b43 Initial load
duke
parents:
diff changeset
   998
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
   999
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1000
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1001
\-keystore url 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1002
Specifies the URL that tells the keystore location. This defaults to the file \f2.keystore\fP in the user's home directory, as determined by the "user.home" system property. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1003
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1004
A keystore is required when signing, so you must explicitly specify one if the default keystore does not exist (or you want to use one other than the default). 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1005
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1006
A keystore is \f2not\fP required when verifying, but if one is specified, or the default exists, and the \f2\-verbose\fP option was also specified, additional information is output regarding whether or not any of the certificates used to verify the JAR file are contained in that keystore. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1007
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1008
Note: the \f2\-keystore\fP argument can actually be a file name (and path) specification rather than a URL, in which case it will be treated the same as a "file:" URL. That is, 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1009
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1010
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1011
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1012
  \-keystore \fP\f4filePathAndName\fP\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1013
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1014
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1015
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1016
is treated as equivalent to 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1017
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1018
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1019
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1020
  \-keystore file:\fP\f4filePathAndName\fP\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1021
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1022
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1023
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1024
If the Sun PKCS#11 provider has been configured in the \f2java.security\fP security properties file (located in the JRE's \f2$JAVA_HOME/lib/security\fP directory), then keytool and jarsigner can operate on the PKCS#11 token by specifying these options: 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1025
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1026
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1027
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1028
\f2\-keystore NONE\fP 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1029
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1030
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1031
\f2\-storetype PKCS11\fP 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1032
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1033
For example, this command lists the contents of the configured PKCS#11 token: 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1034
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1035
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1036
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1037
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1038
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1039
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1040
   jarsigner \-keystore NONE \-storetype PKCS11 \-list
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1041
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1042
  
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1043
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1044
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1045
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1046
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1047
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1048
\-storetype storetype 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1049
Specifies the type of keystore to be instantiated. The default keystore type is the one that is specified as the value of the "keystore.type" property in the security properties file, which is returned by the static \f2getDefaultType\fP method in \f2java.security.KeyStore\fP. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1050
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1051
The PIN for a PCKS#11 token can also be specified using the \f2\-storepass\fP option. If none has been specified, keytool and jarsigner will prompt for the token PIN. If the token has a protected authentication path (such as a dedicated PIN\-pad or a biometric reader), then the \f2\-protected\fP option must be specified and no password options can be specified.  
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1052
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1053
\-storepass password 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1054
Specifies the password which is required to access the keystore. This is only needed when signing (not verifying) a JAR file. In that case, if a \f2\-storepass\fP option is not provided at the command line, the user is prompted for the password. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1055
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1056
Note: The password shouldn't be specified on the command line or in a script unless it is for testing purposes, or you are on a secure system. Also, when typing in a password at the password prompt, the password is echoed (displayed exactly as typed), so be careful not to type it in front of anyone.  
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1057
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1058
\-keypass password 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1059
Specifies the password used to protect the private key of the keystore entry addressed by the alias specified on the command line. The password is required when using \f3jarsigner\fP to sign a JAR file. If no password is provided on the command line, and the required password is different from the store password, the user is prompted for it. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1060
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1061
Note: The password shouldn't be specified on the command line or in a script unless it is for testing purposes, or you are on a secure system. Also, when typing in a password at the password prompt, the password is echoed (displayed exactly as typed), so be careful not to type it in front of anyone.  
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1062
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1063
\-sigfile file 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1064
Specifies the base file name to be used for the generated .SF and .DSA files. For example, if \f2file\fP is "DUKESIGN", the generated .SF and .DSA files will be named "DUKESIGN.SF" and "DUKESIGN.DSA", and will be placed in the "META\-INF" directory of the signed JAR file. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1065
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1066
The characters in \f2file\fP must come from the set "a\-zA\-Z0\-9_\-". That is, only letters, numbers, underscore, and hyphen characters are allowed. Note: All lowercase characters will be converted to uppercase for the .SF and .DSA file names. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1067
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1068
If no \f2\-sigfile\fP option appears on the command line, the base file name for the .SF and .DSA files will be the first 8 characters of the alias name specified on the command line, all converted to upper case. If the alias name has fewer than 8 characters, the full alias name is used. If the alias name contains any characters that are not legal in a signature file name, each such character is converted to an underscore ("_") character in forming the file name.  
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1069
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1070
\-sigalg algorithm 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1071
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1072
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1073
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1074
Specifies the name of the signature algorithm to use to sign the JAR file. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1075
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1076
See 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1077
.na
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1078
\f2Appendix A\fP @
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1079
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1080
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#appa of the Java Cryptography Architecture for a list of standard signature algorithm names. This algorithm must be compatible with the private key used to sign the JAR file. If this option is not specified, SHA1withDSA or MD5withRSA will be used depending on the type of private key. There must either be a statically installed provider supplying an implementation of the specified algorithm or the user must specify one with the \f2\-providerClass\fP option, otherwise the command will not succeed.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1081
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1082
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1083
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1084
\-digestalg algorithm 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1085
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1086
Specifies the name of the message digest algorithm to use when digesting the entries of a jar file. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1087
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1088
See 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1089
.na
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1090
\f2Appendix A\fP @
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1091
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1092
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#appa of the Java Cryptography Architecture for a list of standard message digest algorithm names. If this option is not specified, SHA\-1 will be used. There must either be a statically installed provider supplying an implementation of the specified algorithm or the user must specify one with the \f2\-providerClass\fP option, otherwise the command will not succeed.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1093
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1094
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1095
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1096
\-signedjar file 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1097
Specifies the name to be used for the signed JAR file. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1098
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1099
If no name is specified on the command line, the name used is the same as the input JAR file name (the name of the JAR file to be signed); in other words, that file is overwritten with the signed JAR file.  
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1100
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1101
\-verify 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1102
If this appears on the command line, the specified JAR file will be verified, not signed. If the verification is successful, "jar verified" will be displayed. If you try to verify an unsigned JAR file, or a JAR file signed with an unsupported algorithm (e.g., RSA when you don't have an RSA provider installed), the following is displayed: "jar is unsigned. (signatures missing or not parsable)" 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1103
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1104
It is possible to verify JAR files signed using either \f3jarsigner\fP or the JDK 1.1 \f3javakey\fP tool, or both. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1105
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1106
For further information on verification, see JAR File Verification.  
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1107
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1108
\-certs 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1109
If this appears on the command line, along with the \f2\-verify\fP and \f2\-verbose\fP options, the output includes certificate information for each signer of the JAR file. This information includes 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1110
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1111
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1112
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1113
the name of the type of certificate (stored in the .DSA file) that certifies the signer's public key 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1114
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1115
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1116
if the certificate is an X.509 certificate (more specifically, an instance of \f2java.security.cert.X509Certificate\fP): the distinguished name of the signer 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1117
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1118
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1119
The keystore is also examined. If no keystore value is specified on the command line, the default keystore file (if any) will be checked. If the public key certificate for a signer matches an entry in the keystore, then the following information will also be displayed: 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1120
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1121
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1122
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1123
in parentheses, the alias name for the keystore entry for that signer. If the signer actually comes from a JDK 1.1 identity database instead of from a keystore, the alias name will appear in brackets instead of parentheses. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1124
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1125
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1126
\-verbose 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1127
If this appears on the command line, it indicates "verbose" mode, which causes \f3jarsigner\fP to output extra information as to the progress of the JAR signing or verification. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1128
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1129
\-internalsf 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1130
In the past, the .DSA (signature block) file generated when a JAR file was signed used to include a complete encoded copy of the .SF file (signature file) also generated. This behavior has been changed. To reduce the overall size of the output JAR file, the .DSA file by default doesn't contain a copy of the .SF file anymore. But if \f2\-internalsf\fP appears on the command line, the old behavior is utilized. \f3This option is mainly useful for testing; in practice, it should not be used, since doing so eliminates a useful optimization.\fP 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1131
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1132
\-sectionsonly 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1133
If this appears on the command line, the .SF file (signature file) generated when a JAR file is signed does \f2not\fP include a header containing a hash of the whole manifest file. It just contains information and hashes related to each individual source file included in the JAR file, as described in The Signature (.SF) File . 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1134
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1135
By default, this header is added, as an optimization. When the header is present, then whenever the JAR file is verified, the verification can first check to see whether or not the hash in the header indeed matches the hash of the whole manifest file. If so, verification proceeds to the next step. If not, it is necessary to do a less optimized verification that the hash in each source file information section in the .SF file equals the hash of its corresponding section in the manifest file. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1136
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1137
For further information, see JAR File Verification. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1138
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1139
\f3This option is mainly useful for testing; in practice, it should not be used, since doing so eliminates a useful optimization.\fP   
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1140
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1141
\-protected 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1142
Either \f2true\fP or \f2false\fP. This value should be specified as \f2true\fP if a password must be given via a protected authentication path such as a dedicated PIN reader. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1143
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1144
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1145
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1146
\-provider provider\-class\-name 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1147
Used to specify the name of cryptographic service provider's master class file when the service provider is not listed in the security properties file, \f2java.security\fP. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1148
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1149
Used in conjunction with the \f2\-providerArg\fP \f2ConfigFilePath\fP option, keytool and jarsigner will install the provider dynamically (where \f2ConfigFilePath\fP is the path to the token configuration file). Here's an example of a command to list a PKCS#11 keystore when the Sun PKCS#11 provider has not been configured in the security properties file. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1150
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1151
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1152
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1153
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1154
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1155
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1156
jarsigner \-keystore NONE \-storetype PKCS11 \\
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1157
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1158
          \-providerClass sun.security.pkcs11.SunPKCS11 \\
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1159
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1160
          \-providerArg /foo/bar/token.config \\
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1161
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1162
          \-list
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1163
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1164
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1165
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1166
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1167
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1168
\-providerName providerName 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1169
If more than one provider has been configured in the \f2java.security\fP security properties file, you can use the \f2\-providerName\fP option to target a specific provider instance. The argument to this option is the name of the provider. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1170
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1171
For the Sun PKCS#11 provider, \f2providerName\fP is of the form \f2SunPKCS11\-\fP\f2TokenName\fP, where \f2TokenName\fP is the name suffix that the provider instance has been configured with, as detailed in the 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1172
.na
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1173
\f2configuration attributes table\fP @
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1174
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1175
http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#KeyToolJarSigner#ATTRS. For example, the following command lists the contents of the PKCS#11 keystore provider instance with name suffix \f2SmartCard\fP: 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1176
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1177
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1178
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1179
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1180
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1181
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1182
jarsigner \-keystore NONE \-storetype PKCS11 \\
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1183
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1184
        \-providerName SunPKCS11\-SmartCard \\
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1185
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1186
        \-list
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1187
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1188
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1189
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1190
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1191
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1192
\-Jjavaoption 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1193
Passes through the specified \f2javaoption\fP string directly to the Java interpreter. (\f3jarsigner\fP is actually a "wrapper" around the interpreter.) This option should not contain any spaces. It is useful for adjusting the execution environment or memory usage. For a list of possible interpreter options, type \f2java \-h\fP or \f2java \-X\fP at the command line. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1194
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1195
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1196
\-tsa url 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1197
If \f2"\-tsa http://example.tsa.url"\fP appears on the command line when signing a JAR file then a timestamp is generated for the signature. The URL, \f2http://example.tsa.url\fP, identifies the location of the Time Stamping Authority (TSA). It overrides any URL found via the \f2\-tsacert\fP option. The \f2\-tsa\fP option does not require the TSA's public key certificate to be present in the keystore. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1198
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1199
To generate the timestamp, \f2jarsigner\fP communicates with the TSA using the Time\-Stamp Protocol (TSP) defined in 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1200
.na
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1201
\f2RFC 3161\fP @
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1202
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1203
http://www.ietf.org/rfc/rfc3161.txt. If successful, the timestamp token returned by the TSA is stored along with the signature in the signature block file. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1204
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1205
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1206
\-tsacert alias 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1207
If \f2"\-tsacert alias"\fP appears on the command line when signing a JAR file then a timestamp is generated for the signature. The \f2alias\fP identifies the TSA's public key certificate in the keystore that is currently in effect. The entry's certificate is examined for a Subject Information Access extension that contains a URL identifying the location of the TSA. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1208
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1209
The TSA's public key certificate must be present in the keystore when using \f2\-tsacert\fP. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1210
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1211
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1212
\-altsigner class 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1213
Specifies that an alternative signing mechanism be used. The fully\-qualified class name identifies a class file that extends the \f2com.sun.jarsigner.ContentSigner abstract class\fP. The path to this class file is defined by the \f2\-altsignerpath\fP option. If the \f2\-altsigner\fP option is used, \f2jarsigner\fP uses the signing mechanism provided by the specified class. Otherwise, \f2jarsigner\fP uses its default signing mechanism. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1214
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1215
For example, to use the signing mechanism provided by a class named \f2com.sun.sun.jarsigner.AuthSigner\fP, use the \f2jarsigner\fP option \f2"\-altsigner com.sun.jarsigner.AuthSigner"\fP 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1216
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1217
.TP 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1218
\-altsignerpath classpathlist 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1219
Specifies the path to the class file (the class file name is specified with the \f2\-altsigner\fP option described above) and any JAR files it depends on. If the class file is in a JAR file, then this specifies the path to that JAR file, as shown in the example below. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1220
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1221
An absolute path or a path relative to the current directory may be specified. If \f2classpathlist\fP contains multiple paths or JAR files, they should be separated with a colon (\f2:\fP) on Solaris and a semi\-colon (\f2;\fP) on Windows. This option is not necessary if the class is already in the search path. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1222
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1223
Example of specifying the path to a jar file that contains the class file: 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1224
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1225
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1226
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1227
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1228
\f2\-altsignerpath /home/user/lib/authsigner.jar\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1229
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1230
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1231
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1232
Note that the JAR file name is included. 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1233
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1234
Example of specifying the path to the jar file that contains the class file: 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1235
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1236
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1237
\f2\-altsignerpath /home/user/classes/com/sun/tools/jarsigner/\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1238
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1239
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1240
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1241
Note that the JAR file name is omitted.  
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1242
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1243
.SH "EXAMPLES"
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1244
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1245
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1246
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1247
.SS 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1248
Signing a JAR File
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1249
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1250
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1251
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1252
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1253
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1254
Suppose you have a JAR file named "bundle.jar" and you'd like to sign it using the private key of the user whose keystore alias is "jane" in the keystore named "mystore" in the "working" directory. Suppose the keystore password is "myspass" and the password for \f2jane\fP's private key is "j638klm". You can use the following to sign the JAR file and name the signed JAR file "sbundle.jar":
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1255
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1256
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1257
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1258
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1259
    jarsigner \-keystore /working/mystore \-storepass myspass
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1260
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1261
      \-keypass j638klm \-signedjar sbundle.jar bundle.jar jane 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1262
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1263
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1264
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1265
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1266
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1267
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1268
Note that there is no \f2\-sigfile\fP specified in the command above, so the generated .SF and .DSA files to be placed in the signed JAR file will have default names based on the alias name. That is, they will be named \f2JANE.SF\fP and \f2JANE.DSA\fP.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1269
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1270
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1271
If you want to be prompted for the store password and the private key password, you could shorten the above command to
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1272
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1273
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1274
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1275
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1276
    jarsigner \-keystore /working/mystore
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1277
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1278
      \-signedjar sbundle.jar bundle.jar jane 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1279
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1280
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1281
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1282
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1283
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1284
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1285
If the keystore to be used is the default keystore (the one named ".keystore" in your home directory), you don't need to specify a keystore, as in:
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1286
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1287
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1288
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1289
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1290
    jarsigner \-signedjar sbundle.jar bundle.jar jane 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1291
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1292
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1293
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1294
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1295
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1296
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1297
Finally, if you want the signed JAR file to simply overwrite the input JAR file (\f2bundle.jar\fP), you don't need to specify a \f2\-signedjar\fP option:
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1298
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1299
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1300
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1301
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1302
    jarsigner bundle.jar jane 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1303
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1304
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1305
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1306
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1307
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1308
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1309
.SS 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1310
Verifying a Signed JAR File
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1311
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1312
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1313
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1314
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1315
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1316
To verify a signed JAR file, that is, to verify that the signature is valid and the JAR file has not been tampered with, use a command such as the following:
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1317
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1318
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1319
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1320
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1321
    jarsigner \-verify sbundle.jar 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1322
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1323
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1324
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1325
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1326
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1327
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1328
If the verification is successful,
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1329
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1330
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1331
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1332
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1333
    jar verified.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1334
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1335
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1336
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1337
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1338
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1339
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1340
is displayed. Otherwise, an error message appears.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1341
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1342
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1343
You can get more information if you use the \f2\-verbose\fP option. A sample use of \f3jarsigner\fP with the \f2\-verbose\fP option is shown below, along with sample output:
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1344
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1345
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1346
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1347
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1348
    jarsigner \-verify \-verbose sbundle.jar
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1349
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1350
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1351
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1352
           198 Fri Sep 26 16:14:06 PDT 1997 META\-INF/MANIFEST.MF
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1353
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1354
           199 Fri Sep 26 16:22:10 PDT 1997 META\-INF/JANE.SF
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1355
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1356
          1013 Fri Sep 26 16:22:10 PDT 1997 META\-INF/JANE.DSA
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1357
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1358
    smk   2752 Fri Sep 26 16:12:30 PDT 1997 AclEx.class
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1359
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1360
    smk    849 Fri Sep 26 16:12:46 PDT 1997 test.class
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1361
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1362
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1363
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1364
      s = signature was verified
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1365
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1366
      m = entry is listed in manifest
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1367
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1368
      k = at least one certificate was found in keystore
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1369
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1370
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1371
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1372
    jar verified.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1373
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1374
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1375
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1376
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1377
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1378
.SS 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1379
Verification with Certificate Information
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1380
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1381
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1382
If you specify the \f2\-certs\fP option when verifying, along with the \f2\-verify\fP and \f2\-verbose\fP options, the output includes certificate information for each signer of the JAR file, including the certificate type, the signer distinguished name information (iff it's an X.509 certificate), and, in parentheses, the keystore alias for the signer if the public key certificate in the JAR file matches that in a keystore entry. For example,
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1383
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1384
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1385
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1386
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1387
    jarsigner \-keystore /working/mystore \-verify \-verbose \-certs myTest.jar
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1388
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1389
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1390
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1391
           198 Fri Sep 26 16:14:06 PDT 1997 META\-INF/MANIFEST.MF
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1392
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1393
           199 Fri Sep 26 16:22:10 PDT 1997 META\-INF/JANE.SF
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1394
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1395
          1013 Fri Sep 26 16:22:10 PDT 1997 META\-INF/JANE.DSA
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1396
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1397
           208 Fri Sep 26 16:23:30 PDT 1997 META\-INF/JAVATEST.SF
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1398
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1399
          1087 Fri Sep 26 16:23:30 PDT 1997 META\-INF/JAVATEST.DSA
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1400
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1401
    smk   2752 Fri Sep 26 16:12:30 PDT 1997 Tst.class
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1402
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1403
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1404
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1405
      X.509, CN=Test Group, OU=Java Software, O=Sun Microsystems, L=CUP, S=CA, C=US (javatest)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1406
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1407
      X.509, CN=Jane Smith, OU=Java Software, O=Sun, L=cup, S=ca, C=us (jane)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1408
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1409
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1410
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1411
      s = signature was verified
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1412
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1413
      m = entry is listed in manifest
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1414
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1415
      k = at least one certificate was found in keystore
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1416
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1417
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1418
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1419
    jar verified.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1420
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1421
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1422
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1423
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1424
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1425
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1426
If the certificate for a signer is not an X.509 certificate, there is no distinguished name information. In that case, just the certificate type and the alias are shown. For example, if the certificate is a PGP certificate, and the alias is "bob", you'd get
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1427
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1428
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1429
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1430
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1431
      PGP, (bob)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1432
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1433
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1434
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1435
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1436
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1437
.SS 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1438
Verification of a JAR File that Includes Identity Database Signers
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1439
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1440
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1441
If a JAR file has been signed using the JDK 1.1 \f3javakey\fP tool, and thus the signer is an alias in an identity database, the verification output includes an "i" symbol. If the JAR file has been signed by both an alias in an identity database and an alias in a keystore, both "k" and "i" appear.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1442
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1443
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1444
When the \f2\-certs\fP option is used, any identity database aliases are shown in square brackets rather than the parentheses used for keystore aliases. For example:
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1445
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1446
.nf
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1447
\f3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1448
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1449
    jarsigner \-keystore /working/mystore \-verify \-verbose \-certs writeFile.jar
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1450
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1451
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1452
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1453
           198 Fri Sep 26 16:14:06 PDT 1997 META\-INF/MANIFEST.MF
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1454
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1455
           199 Fri Sep 26 16:22:10 PDT 1997 META\-INF/JANE.SF
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1456
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1457
          1013 Fri Sep 26 16:22:10 PDT 1997 META\-INF/JANE.DSA
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1458
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1459
           199 Fri Sep 27 12:22:30 PDT 1997 META\-INF/DUKE.SF
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1460
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1461
          1013 Fri Sep 27 12:22:30 PDT 1997 META\-INF/DUKE.DSA
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1462
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1463
   smki   2752 Fri Sep 26 16:12:30 PDT 1997 writeFile.html
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1464
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1465
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1466
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1467
      X.509, CN=Jane Smith, OU=Java Software, O=Sun, L=cup, S=ca, C=us (jane)
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1468
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1469
      X.509, CN=Duke, OU=Java Software, O=Sun, L=cup, S=ca, C=us [duke]
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1470
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1471
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1472
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1473
      s = signature was verified
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1474
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1475
      m = entry is listed in manifest
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1476
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1477
      k = at least one certificate was found in keystore
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1478
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1479
      i = at least one certificate was found in identity scope
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1480
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1481
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1482
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1483
    jar verified.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1484
.fl
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1485
\fP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1486
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1487
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1488
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1489
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1490
Note that the alias "duke" is in brackets to denote that it is an identity database alias, not a keystore alias.
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1491
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1492
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1493
.SH "SEE ALSO"
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1494
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1495
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1496
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1497
.RS 3
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1498
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1499
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1500
jar tool documentation 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1501
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1502
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1503
keytool tool documentation 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1504
.TP 2
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1505
o
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1506
the 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1507
.na
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1508
\f4Security\fP @
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1509
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1510
http://java.sun.com/docs/books/tutorial/security1.2/index.html trail of the 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1511
.na
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1512
\f4Java Tutorial\fP @
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1513
.fi
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1514
http://java.sun.com/docs/books/tutorial/trailmap.html for examples of the use of the \f3jarsigner\fP tool 
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1515
.RE
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1516
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1517
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1518
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1519
.LP
90ce3da70b43 Initial load
duke
parents:
diff changeset
  1520