Ezzatron

Just a quick article on something I struggled to find a good example for – configuring NetBeans to sign a .jar file after compilation is complete.

This is very handy, for example, when developing an applet that requires permission to access the file system. This requires the applet to be “signed” using the jarsigner utility, and this quickly becomes a tedious step when testing changes made in your applet in the browser itself.

I’m assuming that since you’re reading this article you have basic knowledge of Java and the keytool and jarsigner utilities. If not, there is a good introduction here.

Please note that this how-to is intended for a development environment situation only. Before deploying to a production environment you should read up on the best practices and security implications of the .jar signing process.

Step 1: Setting up your keystore

For this step we will be using the keytool utility distributed with your JDK. This will most likely be in the bin directory of your JDK installation.

Assuming keytool is in your system path, run the command:

keytool -genkey -alias <alias name> -keystore <keystore path> -validity 36500

Replacing <alias name> with a suitable alias, and <keystore path> with the filename you’d like for your keystore.

You will then be prompted for a number of inputs. For a test setup, use the following answers:

Enter keystore password: <keystore password> <enter>
Re-enter new password: <keystore password> <enter>
What is your first and last name?
  [Unknown]: <enter>
What is the name of your organizational unit?
  [Unknown]: <enter>
What is the name of your organization?
  [Unknown]: <enter>
What is the name of your City or Locality?
  [Unknown]: <enter>
What is the name of your State or Province?
  [Unknown]: <enter>
What is the two-letter country code for this unit?
  [Unknown]: <enter>
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  y <enter>
 
Enter key password for <<alias name>>
        (RETURN if same as keystore password): <key password> <enter>

This will create a keystore file at <keystore path> which we will use in the next step to sign .jar files. Remember the passwords you used in this step as you’ll need them very soon.

The -validity 36500 section simply specifies that we want this key to last for a very long time (100 years to be exact). This is fine in a development environment as you probably don’t want to have to regenerate new keys all the time, but in a production environment this would obviously be much shorter. The -validity value is specified in days.

Step 2: Configuring your NetBeans project

In this step we will be editing two configuration files from your NetBeans project; project.properties and build.xml.

The project.properties file should be located in the nbproject directory of your NetBeans project, and the build.xml should be in the main project folder itself.

You can edit these files by hand, or you can do so in NetBeans itself by switching to the Files window.

Add the following lines somewhere in your project.properties file, substituting the relevant paths etc. (hint: your jarsigner utility should be in the bin directory of your JDK installation):

jarsign.jarsigner=<path to the jarsigner utility>
jarsign.keystore=<keystore path>
jarsign.storepass=<keystore password>
jarsign.keypass=<key password>
jarsign.signedjar=<path to create signed jar file at>
jarsign.alias=<alias name>

Add the following inside the <project> block in your build.xml file:

<target name="-post-jar">
   <exec executable="${jarsign.jarsigner}">
      <arg line="-keystore" />
      <arg file="${jarsign.keystore}" />
      <arg line="-storepass ${jarsign.storepass}" />
      <arg line="-keypass ${jarsign.keypass}" />
      <arg line="-signedjar" />
      <arg file="${jarsign.signedjar}" />
      <arg file="${dist.jar}"/>
      <arg line="${jarsign.alias}" />
   </exec>
   <echo>Signed Jar '${jarsign.signedjar}' created</echo>
 </target>

And that’s it. The next time you build your project, a signed copy of the .jar file should be created automatically at the path you specified. You should also see a confirmation message in the build output.

Enjoy!