Signing a jar allows users to authenticate the publisher.
Signs JAR files with the jarsigner
command line tool. It will take a named file in the jar attribute, and an
optional destDir or signedJar attribute. Nested paths are also supported; here
only an (optional) destDir is allowed. If a destination directory or explicit JAR file
name is not provided, JARs are signed in place.
Dependency rules
true, the JAR is only signed if it does not contain a signature by this alias.
false, the JAR is signed.
| Attribute | Description | Required |
|---|---|---|
| jar | the jar file to sign | Yes, unless nested paths have been used |
| alias | the alias to sign under | Yes |
| storepass | password for keystore integrity. | Yes |
| keystore | keystore location | No |
| storetype | keystore type | No |
| keypass | password for private key (if different) | No |
| sigfile | name of .SF/.DSA file | No |
| signedjar | name of signed JAR file. This can only be set when the jar attribute is set. | No |
| verbose | (true|false) verbose output when signing |
No; default false |
| strict | (true|false) strict checking when signing. since Ant 1.9.1. |
No; default false |
| internalsf | (true|false) include the .SF file inside the signature block |
No; default false |
| sectionsonly | (true|false) don't compute hash of entire manifest |
No; default false |
| lazy | flag to control whether the presence of a signature file means a JAR is signed. This is only used when the target JAR matches the source JAR | No; default false |
| maxmemory | Specifies the maximum memory the jarsigner JVM will use. Specified in the style
of standard Java memory specs (e.g. 128m= 128 MBytes) |
No |
| preservelastmodified | Give the signed files the same last modified time as the original jar files. | No; default false. |
| tsaurl | URL for a timestamp authority for timestamped JAR files in Java 5+ | No |
| tsacert | alias in the keystore for a timestamp authority for timestamped JAR files in Java 5+ | No |
| tsaproxyhost | proxy host to be used when connecting to TSA server | No |
| tsaproxyport | proxy port to be used when connecting to TSA server | No |
| executable | Specify a particular jarsigner executable to use in place of the default binary
(found in the same JDK as Apache Ant is running in).Must support the same command line options as the Sun JDK jarsigner command. since Ant 1.8.0. |
No |
| force | Whether to force signing of the jar file even if it doesn't seem to be out of date or already signed. since Ant 1.8.0. | No; default false |
| sigalg | name of signature algorithm | No |
| digestalg | name of digest algorithm | No |
| tsadigestalg | name of TSA digest algorithm. since Ant 1.10.2 | No |
| Attribute | Description | Required |
|---|---|---|
| path | path of JAR files to sign. since Ant 1.7 | No |
| fileset | fileset of JAR files to sign. | No |
| mapper | A mapper to rename jar files during signing | No, and only one can be supplied |
| sysproperty | JVM system properties, with the syntax of Ant environment variables | No, and only one can be supplied |
For instructions on generating a code signing certificate, see the keytool documentation and/or instructions from your certificate authority.
<signjar jar="${dist}/lib/ant.jar"
alias="apache-group" storepass="secret"/>
signs the ant.jar with alias apache-group
accessing the keystore and private
key via secret
password.
<signjar destDir="signed"
alias="testonly" keystore="testkeystore"
storepass="apacheant"
preservelastmodified="true">
<path>
<fileset dir="dist" includes="**/*.jar"/>
</path>
<flattenmapper/>
</signjar>
Sign all JAR files matching the dist/**/*.jar pattern, copying them to the directory signed afterwards. The flatten mapper means that they will all be copied to this directory, not to subdirectories.
<signjar alias="testonly" keystore="testkeystore"
storepass="apacheant"
lazy="true">
<path>
<fileset dir="dist" includes="**/*.jar"/>
</path>
</signjar>
Sign all the JAR files in dist/**/*.jar in-situ. Lazy signing is used, so the files will only be signed if they are not already signed.
<signjar alias="testonly" keystore="testkeystore"
storepass="apacheant"
sigalg="MD5withRSA"
digestalg="SHA1">
<path>
<fileset dir="dist" includes="**/*.jar"/>
</path>
</signjar>
Sign all the JAR files in dist/**/*.jar using the digest algorithm SHA1 and the
signature algorithm MD5withRSA. This is especially useful when you want to use the JDK
7 jarsigner (which uses SHA256 and SHA256withRSA as default) to create signed jars that
will be deployed on platforms not supporting SHA256 and SHA256withRSA.
Timestamps record the date and time that a signature took place, allowing the signature to be verified as of that point in time. With trusted timestamping, users can verify that signing occurred before a certificate's expiration or revocation. Without this timestamp, users can only verify the signature as of their current date.
Timestamped JAR files were introduced in Java 5 and supported since Ant 1.7. Since Ant 1.9.5, Ant can use unauthenticated proxies for this signing process.
Common public timestamp authorities include