Java

Automatically Sign Java Applets With a Security Certificate

March 9, 2010

When working with Java I find one of the most frustrating things I have to deal with is packaging the compiled code in a JAR file and signing it with a certificate (since it accesses the hardware) each time I make a little tweak to the code. The project I have been working on for the past 6 months requires a Java applet embedded into a website. Rather than just hitting save and refreshing the page to see the changes, as I am used to with web development, Java requires much more interaction than that to test your changes. For example, if I were to need to do a simple change, such as making a private method public, here are the steps that I would have to follow in Eclipse:

  1. Make change to code
  2. Save the code
  3. Select Project->Build All to build the class files
  4. Select File->Export
  5. Select Java->JAR File (if it is not already selected) and then Next
  6. Open the tree for my project and select just the “src” folder
  7. Click Finish to package the files in a JAR file
  8. Open Command Prompt
  9. Apply the developer certificate using the command jarsigner.exe -keystore helloworld.store helloworld.jar helloworldcert
  10. Enter the password for the certificate when prompted
  11. Open my SFTP client (ie: FileZilla) and upload the JAR file to the development server
  12. Log out of the site and clear the cache, then log back in
  13. If at this point if you still remember what changes you made, you can proceed to test them

As you can see it’s quite the lengthy process when you’re just making minor changes. Do that 50 or 100 times a day and you’ll get quite tired of it. As time went on I began to automate certain parts of this sequence so that I did not have to go through so much work to test out my changes. In its current incarnation I simply need to save the file in Eclipse and run a batch file in my QuickLaunch which takes care of the rest. I only wish I could go back in time and give this script to myself on day one of the project as by the time it reached its current state I was nearing the end of the project. Since that is not possible, I can only hope that someone else puts this to good use.

Before we get started, here is my folder structure for my project. Yours may be different, depending on your IDE and coding style:

  • MyProject
  • MyProject\bin
  • MyProject\deploy
  • MyProject\src

The “src” folder holds all of my source files, in this case just one java file. The “bin” folder is for all compiled source, so any class files I’ve already compiled or am making use of, as well as JAR files. The “deploy” folder is where the batch file resides, as well as the certificate files, password file, SCP script and the signed JAR file are stored.

The first piece of the puzzle I put in place was a batch file to sign the JAR file. If you do not need a certificate on your JAR file then you can skip this part, otherwise you’ll first need a developer certificate, you can generate on by running this command:

keytool -keystore myproject.store -keypasswd -genkey -keyalg RSA -alias myprojectcert

You will want to replace myproject.store and myprojectcert with names that are more appropriate to your project. Enter a password for the certificate and answer the remaining questions. If you get an error stating ‘keytool’ is not recognized as an internal or external command, operable program or batch file it is because windows does not know the location of this file, you can easily set that up but I prefer just to write out the full path. Depending on the location of your Java install your command may look more like this:

"C:\Program Files\Java\jdk1.6.0_13\bin\keytool.exe" -keystore myproject.store -keypasswd -genkey -keyalg RSA -alias myprojectcert

After running this command you will have a new file called myproject.store, if you cannot find it look in the bin directory for your JDK. Otherwise it will likely be in the current directory for command prompt which can be determined by typing cd. I would suggest moving this file into your project’s directory, I created a sub directory called “deploy” which contains everything that will be outlined in this tutorial.

So now that you have your certificate you’ll need to know how to sign a JAR file, this again will be done in command prompt:

jarsigner.exe -keystore myproject.store myProject.jar myprojectcert

Once again you may need to enter the full path to the JDK, and you will be prompted for the password. After entering the password your JAR file will be signed and ready to use.

If you want to build just a batch file to sign the JAR file as I initially did you will most likely not want to enter your password each time. So save your password in a text file named “pass.txt” and create a batch file with the following contents:

@ECHO OFF

cd "C:\Documents and Settings\user\workspace\myproject\deploy"

echo Applying DEVELOPER Certificate
C:\Java\jdk1.6.0_13\bin\jarsigner.exe -keystore myproject.store ../bin/myProject.jar myprojectcert < pass.txt

Now that we’ve prepared the certificate and learned how to automate it’s use lets go over how we compile the source code and package it in a JAR file without using a GUI such as Eclipse. The first step is to compile the Java source file(s):

javac ../src/myProject.java -classpath ../bin/OneWireAPI.jar -d ../bin/

This invokes the compiler and tells it to go up a directory and into the src folder and compile the file myProject.java. It also lets it know that I am using the OneWire API so that it doesn’t throw an error on each call to that package. Finally, it tells it to put the compiled class file into the bin directory. You will need to tweak this line for your project, adding any JAR files you use to the classpath as well as any extra source files (you may chose to replace myProject.java with *.java).

jar cvf ../deploy/myProject.jar ../bin/myProject.class ../bin/OneWireAPI.jar

This line creates the JAR file, with the first parameter “cvf” standing for Create Verbose File. The next parameter is the name of the JAR file you’re creating, and all subsequent file names are added to that archive. In this case, I just archived the one class file and the one existing JAR file. You could once again use the *.class option here.

So now we can add those two commands to the start of the batch file so each time it rebuilds the project, puts it in a JAR then signs it. All that is left is uploading it to the server. Since I am not an advocate of FTP (for security reasons) I wanted to find a solution that allowed me to transfer the files using SFTP. This meant that I could not make use of the internal FTP commands built into DOS Prompt. My initial attempt to develop a batch file that would upload via SFTP used FileZilla, however it seems they have not completed their command line implementation and I was only able to take it as far as launching FileZilla and connecting to the server, I still had to open the folder and drag it over to the active FTP session and then manually kill it afterwards. After a bit of research I decided my best option would be to use WinSCP.

………………………

Unfortunately, that was as far as I got with this blog post. It’s now 2019 and I’m just cleaning up my drafts folder and this is too good of a post to delete so I’m posting it as is. So if anyone discovers this and finds it useful, well, you’ll have to find your solution to the FTP upload problem as I can’t remember if I ever solved it.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.