View on GitHub

Jsign

Java implementation of Microsoft Authenticode
for signing Windows executable files, installers and scripts

Download Jsign

Jsign is a Java implementation of Microsoft Authenticode that lets you sign and timestamp executable files for Windows, Microsoft Installers (MSI) and scripts (PowerShell, VBScript, JScript, WSF). Jsign is platform independent and provides an alternative to native tools like signcode/signtool on Windows or the Mono development tools on Unix systems.

Jsign comes as an easy to use task/plugin for the main build systems (Maven, Gradle, Ant). It's especially suitable for signing executable wrappers and installers generated by tools like NSIS, msitools, install4j, exe4j or launch4j. Jsign can also be used programmatically or standalone as a command line tool.

Jsign is free to use and licensed under the Apache License version 2.0.

Features

Platform independent signing of Windows executables, DLLs, Microsoft Installers (MSI) and scripts (PowerShell, VBScript, JScript, WSF)
Timestamping with retries and fallback on alternative servers (RFC 3161 and Authenticode protocols supported)
Supports multiple signatures per file, for all file types
Hashing algorithms: MD5, SHA-1, SHA-256, SHA-384 and SHA-512
Keystores supported: PKCS#12, JKS and PKCS#11 hardware tokens
Private key formats: PVK and PEM (PKCS#1 and PKCS#8), encrypted or not
Certificates: PKCS#7 in PEM and DER format
Build tools integration (Maven, Gradle, Ant)
Command line signing tool
Authenticode signing API (Javadoc)

Ant Task

Here is an example showing how the signing works with Ant, using a Java keystore:

 <taskdef name="jsign" classname="net.jsign.JsignTask" classpath="jsign-3.1.jar"/>

 <jsign file="application.exe"
        name="My Application"
        url="http://www.example.com"
        keystore="keystore.jks"
        alias="test"
        storepass="password"
        tsaurl="http://timestamp.comodoca.com/authenticode"/>

Another example with SPC and PVK files commonly used with signcode.exe:

 <jsign file="application.exe"
        certfile="certificate.spc"
        keyfile="key.pvk"
        keypass="password"
        tsaurl="http://timestamp.verisign.com/scripts/timstamp.dll"/>

Attribute	Description	Required
file	The executable file to be signed.	Yes.
name	The name of the application	No
url	The URL of the application	No
keystore	The keystore file, or the SunPKCS11 configuration file	Yes, unless `certfile` and `keyfile` are specified.
storepass	The password to open the keystore	No
storetype	The type of the keystore: `JKS`: Java keystore `PKCS12`: Standard PKCS#12 keystore (`.p12` or `.pfx` files) `PKCS11`: PKCS#11 hardware token	No; defaults to "JKS".
alias	The alias of the certificate used for signing in the keystore. Java code signing certificates can be used for Authenticode signatures.	Yes, if `keystore` is specified
certfile	The file containing the PKCS#7 certificate chain (`.p7b` or `.spc` files).	Yes, unless `keystore` is specified.
keyfile	The file containing the private key. `PEM` and `PVK` files are supported.	Yes, unless `keystore` is specified.
keypass	The password of the private key. When using a keystore, this parameter can be omitted if the keystore shares the same password.	No
alg	The digest algorithm (SHA-1, SHA-256, SHA-384 or SHA-512)	No; defaults to SHA-256
tsaurl	The URL of the timestamping authority, either RFC 3161 or Authenticode services. You can use for example the COMODO (http://timestamp.comodoca.com/authenticode) or the Verisign (http://timestamp.verisign.com/scripts/timstamp.dll) services.	No
tsmode	The timestamping mode (RFC3161 or Authenticode)	No; defaults to Authenticode
tsretries	The number of retries for timestamping	No; defaults to 3
tsretrywait	The number of seconds to wait between timestamping retries	No; defaults to 10 seconds
replace	Tells if previous signatures should be replaced.	No; defaults to "false"
encoding	The encoding of the script to be signed (if it doesn't contain a byte order mark).	No; defaults to "UTF-8"

Maven plugin

Here is an example showing how the signing works with Maven. The parameters are the same as those described above for the Ant task. The execution is bound by default to the package phase.

    <build>
      <plugins>
        <plugin>
          <groupId>net.jsign</groupId>
          <artifactId>jsign-maven-plugin</artifactId>
          <version>3.1</version>
          <executions>
            <execution>
              <goals>
                <goal>sign</goal>
              </goals>
              <configuration>
                <file>application.exe</file>
                <name>My Application</name>
                <url>http://www.example.com</url>
                <keystore>keystore.jks</keystore>
                <alias>test</alias>
                <storepass>password</storepass>
              </configuration>
            </execution>
          </executions>
        </plugin>
      </plugins>
    </build>

Gradle plugin

Here is an example showing how to use Jsign with Gradle. The parameters are the same as those described above for the Ant task.

    buildscript {
        dependencies {
            classpath 'net.jsign:jsign-gradle-plugin:3.1'
        }
    }
    
    apply plugin: 'net.jsign'
    
    task sign {
        doLast {
            jsign(file      : 'application.exe',
                  name      : 'My Application',
                  url       : 'http://www.example.com',
                  keystore  : 'keystore.p12',
                  alias     : 'test',
                  storepass : 'secret',
                  tsaurl    : 'http://timestamp.comodoca.com/authenticode')
        }
    }

Command Line Tool

Jsign can also be used as a command line tool. A Debian package and a RPM package are provided to install it easily on most Linux distributions. On these systems the command line is invoked with:

 jsign [OPTIONS] FILE

On other systems the command line is invoked by running the jar with:

 java -jar jsign-3.1.jar [OPTIONS] FILE

The parameters expected are the same as those used by the Ant task:

  usage: jsign [OPTIONS] FILE
  Sign and timestamp a Windows executable file, a Microsoft Installer (MSI) or a script
  (PowerShell, VBScript, JScript, WSF).
  
  -s,--keystore <FILE>       The keystore file, or the SunPKCS11 configuration file
     --storepass <PASSWORD>  The password to open the keystore
     --storetype <TYPE>      The type of the keystore:
                             - JKS: Java keystore (.jks files)
                             - PKCS12: Standard PKCS#12 keystore (.p12 or .pfx files)
                             - PKCS11: PKCS#11 hardware token
  -a,--alias <NAME>          The alias of the certificate used for signing in the keystore.
     --keypass <PASSWORD>    The password of the private key. When using a keystore,
                             this parameter can be omitted if the keystore shares the
                             same password.
     --keyfile <FILE>        The file containing the private key (supports PEM & PVK files)
  -c,--certfile <FILE>       The file containing the PKCS#7 certificate chain
                             (.p7b or .spc files).
  -d,--alg <ALGORITHM>       The digest algorithm (SHA-1, SHA-256, SHA-384 or SHA-512)
  -t,--tsaurl <URL>          The URL of the timestamping authority.
  -m,--tsmode <MODE>         The timestamping mode (RFC3161 or Authenticode)
  -r,--tsretries <NUMBER>    The number of retries for timestamping
  -w,--tsretrywait <SECONDS> The number of seconds to wait between timestamping retries
  -n,--name <NAME>           The name of the application
  -u,--url <URL>             The URL of the application
     --proxyUrl <URL>        The URL of the HTTP proxy
     --proxyUser <NAME>      The user for the HTTP proxy. If an user is needed.
     --proxyPass <PASSWORD>  The password for the HTTP proxy user. If an user is needed.
     --replace               Tells if previous signatures should be replaced.
  -e,--encoding <ENCODING>   The encoding of the script to be signed (UTF-8 by default,
                             or the encoding specified by the byte order mark if there is one)
  -h,--help                  Print the help

Example using a Java keystore:

 jsign --keystore keystore.jks --alias test --storepass password \
        --tsaurl http://timestamp.comodoca.com/authenticode application.exe

Example using SPC/PVK files:

 jsign --certfile certificate.spc --keyfile key.pvk --keypass password application.exe

API

Jsign also provides a simple API for signing files and can be embedded in another application.

Simply add this dependency to the project:

    <dependency>
      <groupId>net.jsign</groupId>
      <artifactId>jsign-core</artifactId>
      <version>3.1</version>
    </dependency>

and then use the AuthenticodeSigner class like this:

 KeyStore keystore = KeyStoreUtils.load(new File("keystore.p12"), "PKCS12", "password", null);

 AuthenticodeSigner signer = new AuthenticodeSigner(keystore, "test", "secret");
 signer.withProgramName("My Application")
       .withProgramURL("http://www.example.com")
       .withTimestamping(true)
       .withTimestampingAuthority("http://timestamp.comodoca.com/authenticode");

 Signable file = Signable.of(new File("application.exe"));
 signer.sign(file);

See the Javadoc for more details about the API.

Downloads

jsign_3.0_all.deb - Jsign command line tool for Debian/Ubuntu
jsign-3.0-1.noarch.rpm - Jsign command line tool for RedHat/Fedora/CentOS
jsign-3.0.jar - Jsign Ant Task

Credits

Jsign leverages the cryptography API developed by the Bouncy Castle project.
PVK parsing is based on the pvktool by Stephen N Henson.
MSI signing was possible thanks to the work done by the osslsigncode and Apache POI projects.

Jsign includes contributions from Emmanuel Bourg, Florent Daigniere, Michael Szediwy, Michael Peterson, Markus Kilås, Erwin Tratar and Björn Kautler.

Contact

Emmanuel Bourg (ebourg@apache.org, @smanux)