Jsign is a Java implementation of Microsoft Authenticode that lets you sign and timestamp executable files for Windows. Jsign is platform independent and provides an alternative to native tools like signcode/signtool on Windows or the Mono development tools on Unix systems.
Jsign comes as an easy to use task/plugin for the main build systems (Maven, Gradle, Ant). It's especially suitable for signing executable wrappers and installers generated by tools like NSIS, exe4j, launch4j or JSmooth. Jsign can also be used programmatically or standalone as a command line tool.
Jsign is free to use and licensed under the Apache License version 2.0.
Ant Task
Here is an example showing how the signing works with Ant, using a Java keystore:
<taskdef name="signexe" classname="net.jsign.PESignerTask" classpath="jsign-2.1.jar"/>
<signexe file="application.exe"
name="My Application"
url="http://www.example.com"
keystore="keystore.jks"
alias="test"
storepass="password"
tsaurl="http://timestamp.comodoca.com/authenticode"/>
Another example with SPC and PVK files commonly used with signcode.exe:
<signexe file="application.exe"
certfile="certificate.spc"
keyfile="key.pvk"
keypass="password"
tsaurl="http://timestamp.verisign.com/scripts/timstamp.dll"/>
| Attribute | Description | Required |
|---|---|---|
| file | The executable file to be signed. | Yes. |
| name | The name of the application | No |
| url | The URL of the application | No |
| keystore | The keystore file, or the SunPKCS11 configuration file | Yes, unless certfile and keyfile are specified. |
| storepass | The password to open the keystore | No |
| storetype |
The type of the keystore:
|
No; defaults to "JKS". |
| alias | The alias of the certificate used for signing in the keystore. Java code signing certificates can be used for Authenticode signatures. | Yes, if keystore is specified |
| certfile | The file containing the PKCS#7 certificate chain (.p7b or .spc files). |
Yes, unless keystore is specified. |
| keyfile |
The file containing the private key. PEM and PVK files are supported.
|
|
| keypass | The password of the private key. When using a keystore, this parameter can be omitted if the keystore shares the same password. | No |
| alg | The digest algorithm (SHA-1, SHA-256, SHA-384 or SHA-512) | No; defaults to SHA-256 |
| tsaurl | The URL of the timestamping authority, either RFC 3161 or Authenticode services. You can use for example the COMODO (http://timestamp.comodoca.com/authenticode) or the Verisign (http://timestamp.verisign.com/scripts/timstamp.dll) services. | No |
| tsmode | The timestamping mode (RFC3161 or Authenticode) | No; defaults to Authenticode |
| tsretries | The number of retries for timestamping | No; defaults to 3 |
| tsretrywait | The number of seconds to wait between timestamping retries | No; defaults to 10 seconds |
| replace | Tells if previous signatures should be replaced. | No; defaults to "false" |
Maven plugin
Here is an example showing how the signing works with Maven. The parameters are the same as those described above for the Ant task.
<build>
<plugins>
<plugin>
<groupId>net.jsign</groupId>
<artifactId>jsign-maven-plugin</artifactId>
<version>2.1</version>
<executions>
<execution>
<goals>
<goal>sign</goal>
</goals>
<phase>package</phase>
<configuration>
<file>application.exe</file>
<name>My Application</name>
<url>http://www.example.com</url>
<keystore>keystore.jks</keystore>
<alias>test</alias>
<storepass>password</storepass>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
Gradle plugin
Here is an example showing how to use Jsign with Gradle. The parameters are the same as those described above for the Ant task.
buildscript {
dependencies {
classpath 'net.jsign:jsign-gradle-plugin:2.1'
}
}
apply plugin: 'net.jsign'
task sign << {
signexe(file : 'application.exe',
name : 'My Application',
url : 'http://www.example.com',
keystore : 'keystore.p12',
alias : 'test',
storepass : 'secret',
tsaurl : 'http://timestamp.comodoca.com/authenticode')
}
Command Line Tool
Jsign can also be used as a command line tool. A Debian package and a RPM package are provided to install it easily on most Linux distributions. On these systems the command line is invoked with:
pesign [OPTIONS] FILE
On other systems the command line is invoked by running the jar with:
java -jar jsign-2.1.jar [OPTIONS] FILE
The parameters expected are the same as those used by the Ant task:
usage: pesign [OPTIONS] FILE
Sign and timestamp a Windows executable file.
-s,--keystore <FILE> The keystore file, or the SunPKCS11 configuration file
--storepass <PASSWORD> The password to open the keystore
--storetype <TYPE> The type of the keystore:
- JKS: Java keystore (.jks files)
- PKCS12: Standard PKCS#12 keystore (.p12 or .pfx files)
- PKCS11: PKCS#11 hardware token
-a,--alias <NAME> The alias of the certificate used for signing in the keystore.
--keypass <PASSWORD> The password of the private key. When using a keystore,
this parameter can be omitted if the keystore shares the
same password.
--keyfile <FILE> The file containing the private key (supports PEM & PVK files)
-c,--certfile <FILE> The file containing the PKCS#7 certificate chain
(.p7b or .spc files).
-d,--alg <ALGORITHM> The digest algorithm (SHA-1, SHA-256, SHA-384 or SHA-512)
-t,--tsaurl <URL> The URL of the timestamping authority.
-m,--tsmode <MODE> The timestamping mode (RFC3161 or Authenticode)
-r,--tsretries <NUMBER> The number of retries for timestamping
-w,--tsretrywait <SECONDS> The number of seconds to wait between timestamping retries
-n,--name <NAME> The name of the application
-u,--url <URL> The URL of the application
--proxyUrl <URL> The URL of the HTTP proxy
--proxyUser <NAME> The user for the HTTP proxy. If an user is needed.
--proxyPass <PASSWORD> The password for the HTTP proxy user. If an user is needed.
--replace Tells if previous signatures should be replaced.
-h,--help Print the help
Example using a Java keystore:
pesign --keystore keystore.jks --alias test --storepass password \
--tsaurl http://timestamp.comodoca.com/authenticode application.exe
Example using SPC/PVK files:
pesign --certfile certificate.spc --keyfile key.pvk --keypass password application.exe
API
Jsign also provides a simple API for signing executable files and can be embedded in another application.
Simply add this dependency to the project:
<dependency>
<groupId>net.jsign</groupId>
<artifactId>jsign-core</artifactId>
<version>2.1</version>
</dependency>
and then use the PESigner class like this:
KeyStore keystore = KeyStoreUtils.load(new File("keystore.p12"), "PKCS12", "password", null);
PESigner signer = new PESigner(keystore, "test", "secret");
signer.withProgramName("My Application")
.withProgramURL("http://www.example.com")
.withTimestamping(true)
.withTimestampingAutority("http://timestamp.comodoca.com/authenticode");
signer.sign(new PEFile(new File("application.exe")));
See the Javadoc for more details about the API.
Downloads
- jsign_2.1_all.deb - Jsign command line tool for Debian/Ubuntu
- jsign-2.1-1.noarch.rpm - Jsign command line tool for RedHat/Fedora/CentOS
- jsign-2.1.jar - Jsign Ant Task
Credits
Jsign leverages the APIs developed by the Bouncy Castle project.
PVK parsing is based on the pvktool by Stephen N Henson.
Jsign includes contributions from Emmanuel Bourg, Florent Daigniere, Michael Szediwy, Michael Peterson, Markus KilÄs and Erwin Tratar.
Contact
Emmanuel Bourg (ebourg@apache.org, @smanux)