View on GitHub

Jsign

Java implementation of Microsoft Authenticode
for signing Windows executable files

Download Jsign

Jsign is a Java implementation of Microsoft Authenticode that lets you sign and timestamp executable files for Windows. Jsign is platform independent and provides an alternative to native tools like signcode/signtool on Windows or the Mono development tools on Unix systems.

Jsign comes as an easy to use Ant task to be integrated in any automated build. It's especially suitable for signing executable wrappers and installers generated by tools like NSIS, exe4j, launch4j or JSmooth. Jsign can also be used with Maven using the Antrun plugin, or standalone as a command line tool.

Jsign is free to use and licensed under the Apache License version 2.0.

Ant Task

Here is an example showing how the signing works with Ant, using a Java keystore:

 <taskdef name="signexe" classname="net.jsign.PESignerTask" classpath="jsign-1.2.jar"/>

 <signexe file="application.exe"
          name="My Application"
          url="http://www.example.com"
          keystore="keystore.jks"
          alias="test"
          storepass="password"
          tsaurl="http://timestamp.comodoca.com/authenticode"/>

Another example with SPC and PVK files commonly used with signcode.exe:

 <signexe file="application.exe"
          certfile="certificate.spc"
          keyfile="key.pvk"
          keypass="password"
          tsaurl="http://timestamp.verisign.com/scripts/timstamp.dll"/>

Attribute	Description	Required
file	The executable file to be signed.	Yes.
name	The name of the application	No
url	The URL of the application	No
keystore	The keystore file	Yes, unless `certfile` and `keyfile` are specified.
storepass	The password to open the keystore	No
storetype	The type of the keystore: `JKS`: Java keystore `PKCS12`: Standard PKCS#12 keystore (`.p12` or `.pfx` files)	No; defaults to "JKS".
alias	The alias of the certificate used for signing in the keystore. Java code signing certificates can be used for Authenticode signatures.	Yes, if `keystore` is specified
certfile	The file containing the PKCS#7 certificate chain (`.p7b` or `.spc` files).	Yes, unless `keystore` is specified.
keyfile	The file containing the private key. Only `PVK` files are supported.	Yes, unless `keystore` is specified.
keypass	The password of the private key. When using a keystore, this parameter can be omitted if the keystore shares the same password.	No
tsaurl	The URL of the timestamping authority. RFC 3161 servers used for jar signing are not compatible with Authenticode signatures. You can use the COMODO (http://timestamp.comodoca.com/authenticode) or the Verisign (http://timestamp.verisign.com/scripts/timstamp.dll) services.	No

Command Line Tool

Jsign can also be used as a command line tool. A Debian package and a RPM package are provided to install it easily on most Linux distributions. On these systems the command line is invoked with:

 pesign [OPTIONS] FILE

On other systems the command line is invoked by running the jar with:

 java -jar jsign-1.2.jar [OPTIONS] FILE

The parameters expected are the same as those used by the Ant task:

  usage: pesign [OPTIONS] FILE
  Sign and timestamp a Windows executable file.
  
  -s,--keystore <FILE>      The keystore file
     --storepass <PASSWORD> The password to open the keystore
     --storetype <TYPE>     The type of the keystore:
                            - JKS: Java keystore (.jks files)
                            - PKCS12: Standard PKCS#12 keystore (.p12 or .pfx files)
  -a,--alias <NAME>         The alias of the certificate used for signing in the keystore.
     --keypass <PASSWORD>   The password of the private key. When using a keystore,
                            this parameter can be omitted if the keystore shares the
                            same password.
     --keyfile <FILE>       The file containing the private key. Only PVK files are supported.
  -c,--certfile <FILE>      The file containing the PKCS#7 certificate chain
                            (.p7b or .spc files).
  -t,--tsaurl <URL>         The URL of the timestamping authority. RFC 3161 servers
                            used for jar signing are not compatible with Authenticode
                            signatures. You can use the COMODO or the Verisign services:
                            - http://timestamp.comodoca.com/authenticode
                            - http://timestamp.verisign.com/scripts/timstamp.dll
  -n,--name <NAME>          The name of the application
  -u,--url <URL>            The URL of the application
  -h,--help                 Print the help

Example using a Java keystore:

 pesign --keystore keystore.jks --alias test --storepass password \
        --tsaurl http://timestamp.comodoca.com/authenticode application.exe

Example using SPC/PVK files:

 pesign --certfile certificate.spc --keyfile key.pvk --keypass password application.exe

API

Jsign also provides a simple API for signing executable files and can be embedded in another application.
See the Javadoc

Downloads

jsign_1.2_all.deb - Jsign command line tool for Debian/Ubuntu
jsign-1.2-1.noarch.rpm - Jsign command line tool for RedHat/Fedora/CentOS
jsign-1.2.jar - Jsign Ant Task

Credits

Jsign leverages the APIs developed by the Bouncy Castle project.
PVK parsing is based on the pvktool by Stephen N Henson.

Contact

Emmanuel Bourg (ebourg@apache.org, @smanux)