Automate jar signing in Eclipse with Apache Ant

Reasons why you’d want to bother self-signing a Java archive:

• Deploying your application with Java Web Start (perhaps an under-rated technology)
• Verifying the integrity of the archive

You don’t really need Eclipse, but it’s the environment you usually work in, then you get a bonus of avoiding a command line. This has been tested on Eclipse 3.6 Helios, but probably works on prior versions too.

Creating the JAR signature keystore

1. Find the file keytool.exe that the Java Development Kit installs. In Windows 7 (64-bit) this will be
   C:\Program Files (x86)\Java\jdk1.6.0_20\bin\keytool.exe

   To make things simple, we’re going to place it somewhere easily accessible with write permissions, like our desktop. Copy keytool.exe there.

2. We’re going to need the command line (only once, I promise!).
   Windows 7 (only?) shortcut: Since we placed it on the desktop, hold Shift+right-click, and choose “Open command window here”.
3. Enter in the following, replacing ALIAS with a short name and KEYSTORE_FILE with the file to save to. Follow the on-screen prompts to complete the creation.
   keytool -genkey -alias ALIAS -keystore KEYSTORE_FILE
   

Creating the ANT script

1. Have a Java project already in your Eclipse workspace, and run it at least once so a Run configuration has been created.
2. Right-click the project and select “Export…” –> Java/JAR File or Java/Runnable JAR File.
3. Select an appropriate Run configuration. Choose and select a file location within the project directory to save an ANT script at. Click “Finish”.
   Note: if you saved the file within a project directory, you may need to refresh Eclipse’s listing by right-clicking the corresponding project and choosing “Refresh”.
   
4. Edit the file by double-clicking, or dragging it’s icon to the editor pane. On a new line between the </jar> and </target>, add the following line, where JAR_FILE is the same as what <jar destfile= is equal to, ALIAS and a full or relative path to KEYSTORE_FILE from keystore creation, and KEYSTORE_PASS from keytool’s on-screen prompt:
   <signjar jar="JAR_FILE" alias="ALIAS" keystore="KEYSTORE_FILE" storepass="KEYSTORE_PASS"/>

Running the ANT script.

Right-click the ANT script in Eclipse, and choose “Run As…->Ant Build”.
This compiles, packages and signs the Java project in its current workspace state.

Eclipse ANT shortcut: highlight the script icon, or have the editor window in focus and press Ctrl+Alt+X (a popup appears) and press Q.

Known issues and tips.

• An error regarding duplicate META-INF/LICENSE or similar files may occur if another jar on the project build path contains files of the same name. You can use an archive editor like 7-zip to open those jar files to rename conflicting files (refresh the project after updating the jar to detect the changes).
• Changes to the build path or required dependencies do not modify this script. Sometimes you can guess the appropriate modifications, or repeat the ANT script creation.
• If placing the project under source control, you can consider excluding these files, or simply commit the ANT script while leaving the KEYSTORE_FILE uncommitted (assuming KEYSTORE_PASS is not sensitive).
• By limitation of the jar signing tool, your self-signed certificate will expire 6-months from the sign date, which means it needs to be periodically renewed if deployed over Java Web Start to allow the application to continue running.

Advertisement