Several Enhancements for JarSigner
By Weijun on Apr 20, 2009
First, jarsigner accepts a new option -certchain file to use a certificate chain in an external file. People can using PKCS #11 tokens to store their private keys. Some of these tokens are so small that there's no place to store the certificate chain inside it. Although you can access it with a KeyStore.getInstance("pkcs11"), the getCertificateChain() method returns nothing. Now you can use jarsigner with this kind of tokens, using the token as the keystore, but point your certchain to another file that contains the full chain.
Second, people see jarsigner showing warnings now and then, like certificate expired, or keyusage not correct. if they want to know this information if jarsigner is called in a script, they can only grep the words. Now, if you add a new option
- 2: hasExpiringCert
- 4: chainNotValidated (including hasExpiredCert, notYetValidCert)
- 8: Usages problems (including badKeyUsage, badExtendedKeyUsage, badNetscapeCertType)
- 16: hasUnsignedEntry
- 32: notSignedByAlias or aliasNotInStore
Third, people complain jarfiles show too little or too much output at verifying. If you simply verify a jarfile, it might tell you some warnings, call with -verbose -certs to read details. You verify again with those two options on, and huala... thousands of lines fly through and you cannot catch a word. Now -verbose has sub options so you can precisely tell it how verbose the output should be:
- -verbose:all, this is the default -verbose, which shows as much information as it did
- -verbose:grouped, this shows less information. The entries with the same signer info are grouped together. This means the names of the entries are listed together, with the signer info only printed once. Something like this:
smk A.class smk B.class ... Certificate A (CN=A, OU=B)
- -verbose:summary. This is the simplest one. Besides grouping the entries with same signer info together, not all the entry names are printed, but only one line of summary. Something like this:
smk A.class (and N-1 more) Certificate A (CN=A, OU=B)Using this option, unless your jar file is signed by dozens of different signers, no matter how many entries inside, the output should not exceeds two screens.