Struct android_tools::java_tools::JarSigner

source ¡ []
pub struct JarSigner { /* private fields */ }
Expand description

Signs and verifies Java Archive (JAR) files

Implementations

JarFile

The JAR file to be signed.

If you also specified the -strict option, and the jarsigner command detected severe warnings, the message, “jar signed, with signer errors” is displayed.

Alias

The aliases are defined in the keystore specified by -keystore or the default keystore

Specifies the URL that tells the keystore location. This defaults to the file .keystore in the user’s home directory, as determined by the user.home system property. A keystore is required when signing. You must explicitly specify a keystore when the default keystore does not exist or if you want to use one other than the default. A keystore is not required when verifying, but if one is specified or the default exists and the -verbose option was also specified, then additional information is output regarding whether or not any of the certificates used to verify the JAR file are contained in that keystore. The -keystore argument can be a file name and path specification rather than a URL, in which case it is treated the same as a file: URL, for example, the following are equivalent:

* `-keystore filePathAndName`
* `-keystore file:filePathAndName`

If the Sun PKCS #11 provider was configured in the java.security security properties file (located in the JRE’s $JAVA_HOME/lib/security directory), then the keytool and jarsigner tools can operate on the PKCS #11 token by specifying these options:

* `-keystore NONE`
* `-storetype PKCS11`

For example, the following command lists the contents of the configured PKCS#11 token:

* `keytool -keystore NONE -storetype PKCS11 -list`

Specifies the password that is required to access the keystore. This is only needed when signing (not verifying) a JAR file. In that case, if a -storepass option is not provided at the command line, then the user is prompted for the password. If the modifier env or file is not specified, then the password has the value argument. Otherwise, the password is retrieved as follows:

  • env: Retrieve the password from the environment variable named argument
  • file: Retrieve the password from the file named argument

Specifies the type of keystore to be instantiated. The default keystore type is the one that is specified as the value of the keystore.type property in the security properties file, which is returned by the static getDefaultType method in java.security.KeyStore. The PIN for a PCKS #11 token can also be specified with the -storepass option. If none is specified, then the keytool and jarsigner commands prompt for the token PIN. If the token has a protected authentication path (such as a dedicated PIN-pad or a biometric reader), then the -protected option must be specified and no password options can be specified

Specifies the password used to protect the private key of the keystore entry addressed by the alias specified on the command line. The password is required when using jarsigner to sign a JAR file. If no password is provided on the command line, and the required password is different from the store password, then the user is prompted for it

If the modifier env or file is not specified, then the password has the value argument. Otherwise, the password is retrieved as follows:

  • env: Retrieve the password from the environment variable named argument
  • file: Retrieve the password from the file named argument
Note

The password should not be specified on the command line or in a script unless it is for testing purposes, or you are on a secure system

Specifies the certificate chain to be used when the certificate chain associated with the private key of the keystore entry that is addressed by the alias specified on the command line is not complete. This can happen when the keystore is located on a hardware token where there is not enough capacity to hold a complete certificate chain. The file can be a sequence of concatenated X.509 certificates, or a single PKCS#7 formatted data block, either in binary encoding format or in printable encoding format (also known as Base64 encoding) as defined by the Internet RFC 1421 standard

Specifies the base file name to be used for the generated .SF and .DSA files. For example, if file is DUKESIGN, then the generated .SF and .DSA files are named DUKESIGN.SF and DUKESIGN.DSA, and placed in the META-INF directory of the signed JAR file

The characters in the file must come from the set a-zA-Z0-9_-. Only letters, numbers, underscore, and hyphen characters are allowed. All lowercase characters are converted to uppercase for the .SF and .DSA file names

If no -sigfile option appears on the command line, then the base file name for the .SF and .DSA files is the first 8 characters of the alias name specified on the command line, all converted to upper case. If the alias name has fewer than 8 characters, then the full alias name is used. If the alias name contains any characters that are not valid in a signature file name, then each such character is converted to an underscore (_) character to form the file name

Name of signed JAR file

Name of digest algorithm

Specifies the name of the signature algorithm to use to sign the JAR file

For a list of standard signature algorithm names, see “Appendix A: Standard Names” in the Java Cryptography Architecture (JCA) Reference Guide at http://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA

This algorithm must be compatible with the private key used to sign the JAR file. If this option is not specified, then SHA1withDSA, SHA256withRSA, or SHA256withECDSA are used depending on the type of private key. There must either be a statically installed provider supplying an implementation of the specified algorithm or the user must specify one with the -providerClass option; otherwise, the command will not succeed

When the -verbose option appears on the command line, it indicates verbose mode, which causes jarsigner to output extra information about the progress of the JAR signing or verification

If the -certs option appears on the command line with the -verify and -verbose options, then the output includes certificate information for each signer of the JAR file. This information includes the name of the type of certificate (stored in the .DSA file) that certifies the signer’s public key, and if the certificate is an X.509 certificate (an instance of the java.security.cert.X509Certificate), then the distinguished name of the signer

The keystore is also examined. If no keystore value is specified on the command line, then the default keystore file (if any) is checked. If the public key certificate for a signer matches an entry in the keystore, then the alias name for the keystore entry for that signer is displayed in parentheses

Enable certificate revocation check

If -tsa appears on the command line when signing a JAR file then a time stamp is generated for the signature. The URL, identifies the location of the Time Stamping Authority (TSA) and overrides any URL found with the -tsacert option. The -tsa option does not require the TSA public key certificate to be present in the keystore

To generate the time stamp, jarsigner communicates with the TSA with the Time-Stamp Protocol (TSP) defined in RFC 3161. When successful, the time stamp token returned by the TSA is stored with the signature in the signature block file

When -tsacert alias appears on the command line when signing a JAR file, a time stamp is generated for the signature. The alias identifies the TSA public key certificate in the keystore that is in effect. The entry’s certificate is examined for a Subject Information Access extension that contains a URL identifying the location of the TSA

The TSA public key certificate must be present in the keystore when using the -tsacert option

TSAPolicyID for Timestamping Authority

Algorithm of digest data in timestamping request

Class name of an alternative signing mechanism (This option is deprecated and will be removed in a future release.)

Location of an alternative signing mechanism (This option is deprecated and will be removed in a future release.)

Include the .SF file inside the signature block

Don’t compute hash of entire manifest

Keystore has protected authentication path

Provider name

Add security provider by name (e.g. SunPKCS11) add security provider by fully-qualified class name

Configure argument for -addprovider

Configure argument for -providerClass

Treat warnings as errors

Specify a pre-configured options file

The -verify option can take zero or more keystore alias names after the JAR file name. When the -verify option is specified, the jarsigner command checks that the certificate used to verify each signed entry in the JAR file matches one of the keystore aliases. The aliases are defined in the keystore specified by -keystore or the default keystore.

If you also specified the -strict option, and the jarsigner command detected severe warnings, the message, “jar verified, with signer errors” is displayed

Print this help message

Print this help message

Runs jarsigner commands and signa JAR file with arguments

Trait Implementations

Returns a copy of the value. Read more

Performs copy-assignment from source. Read more

Returns the “default value” for a type. Read more

Auto Trait Implementations

Blanket Implementations

Gets the TypeId of self. Read more

Immutably borrows from an owned value. Read more

Mutably borrows from an owned value. Read more

Returns the argument unchanged.

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

The resulting type after obtaining ownership.

Creates owned data from borrowed data, usually by cloning. Read more

Uses borrowed data to replace owned data, usually by cloning. Read more

The type returned in the event of a conversion error.

Performs the conversion.

The type returned in the event of a conversion error.

Performs the conversion.