Reasons why you’d want to bother self-signing a Java archive:
- Deploying your application with Java Web Start (perhaps an under-rated technology)
- Verifying the integrity of the archive
You don’t really need Eclipse, but it’s the environment you usually work in, then you get a bonus of avoiding a command line. This has been tested on Eclipse 3.6 Helios, but probably works on prior versions too.
Creating the JAR signature keystore
- Find the file keytool.exe that the Java Development Kit installs. In Windows 7 (64-bit) this will be
C:\Program Files (x86)\Java\jdk1.6.0_20\bin\keytool.exe
To make things simple, we’re going to place it somewhere easily accessible with write permissions, like our desktop. Copy keytool.exe there.
- We’re going to need the command line (only once, I promise!).
Windows 7 (only?) shortcut: Since we placed it on the desktop, hold Shift+right-click, and choose “Open command window here”.
- Enter in the following, replacing ALIAS with a short name and KEYSTORE_FILE with the file to save to. Follow the on-screen prompts to complete the creation.
keytool -genkey -alias ALIAS -keystore KEYSTORE_FILE
Creating the ANT script
- Have a Java project already in your Eclipse workspace, and run it at least once so a Run configuration has been created.
- Right-click the project and select “Export…” –> Java/JAR File or Java/Runnable JAR File.
- Select an appropriate Run configuration. Choose and select a file location within the project directory to save an ANT script at. Click “Finish”.
Note: if you saved the file within a project directory, you may need to refresh Eclipse’s listing by right-clicking the corresponding project and choosing “Refresh”.
- Edit the file by double-clicking, or dragging it’s icon to the editor pane. On a new line between the </jar> and </target>, add the following line, where JAR_FILE is the same as what <jar destfile= is equal to, ALIAS and a full or relative path to KEYSTORE_FILE from keystore creation, and KEYSTORE_PASS from keytool’s on-screen prompt:
<signjar jar="JAR_FILE" alias="ALIAS" keystore="KEYSTORE_FILE" storepass="KEYSTORE_PASS"/>
Running the ANT script.
Right-click the ANT script in Eclipse, and choose “Run As…->Ant Build”.
This compiles, packages and signs the Java project in its current workspace state.
Eclipse ANT shortcut: highlight the script icon, or have the editor window in focus and press Ctrl+Alt+X (a popup appears) and press Q.
Known issues and tips.
- An error regarding duplicate META-INF/LICENSE or similar files may occur if another jar on the project build path contains files of the same name. You can use an archive editor like 7-zip to open those jar files to rename conflicting files (refresh the project after updating the jar to detect the changes).
- Changes to the build path or required dependencies do not modify this script. Sometimes you can guess the appropriate modifications, or repeat the ANT script creation.
- If placing the project under source control, you can consider excluding these files, or simply commit the ANT script while leaving the KEYSTORE_FILE uncommitted (assuming KEYSTORE_PASS is not sensitive).
- By limitation of the jar signing tool, your self-signed certificate will expire 6-months from the sign date, which means it needs to be periodically renewed if deployed over Java Web Start to allow the application to continue running.