第1步 下載簽名工具 Step 1: Download Signing Tools
如果您還沒有簽名工具,請到SUN公司網站免費下載:http://java.sun.com/j2se/,推薦下載JDK1.4.2或以上版本,支持Solaris SPARC/x86, Linux86 和 Windows 操作系統。
If you have not already done so, download the Java 2 Software
Development Kit (SDK). The latest version is available free of charge
for the Solaris SPARC/x86, Linux86, and Microsoft Windows platforms
from http://java.sun.com/j2se/.
您將使用簽名工具中的 keytool, jar, jarsigner 來申請代碼簽名證書和數字簽名您的代碼。
You will be using the keytool, jar, and jarsigner to apply for your Code Signing Certificate and sign your code.
第2步 申請簽名證書 Step 2: Enrollment (如果您沒有證書,請聯繫易維信(EVTrust)申請)
(1) 生成私鑰和公鑰對(Keystore) Create a Keystore
使用以下命令生成私鑰和公鑰對:
To generate a public/private key pair, enter the following
command, specifying a name for your keystore and an alias as well.
c:\jdk1.5\bin\keytool -genkey -keyalg rsa -keystore <keystore_filename> -alias <alias_name>
Keytool 會提示您輸入私鑰密碼、您的姓名(Your
name,填單位網址)、您的部門名稱、單位名稱、所在城市、所在省份和國家縮寫(中國填:CN,其他國家填其縮寫),單位名稱一定要與證明文件上的名稱
一致,部門名稱(OU)可以不填。除國家縮寫必須填CN外,其餘都可以是英文或中文。請一定要保存好您的私鑰和私鑰密碼。我們不會要求您提供私鑰文件!
Keytool prompts you to enter a password for your keystore,
your name, organization, and address. The public/private key pair
generated by keytool is saved to your keystore and will be used to sign
Java Applets and applications. This key is never sent to GlobalSign and
is required to sign code. GlobalSign encourages you to make a copy of
the public/private key pair and store it in a safe deposit box or other
secure location. If the key is lost or stolen, contact GlobalSign
immediately to have it revoked.
(2) 生成證書請求文件(CSR) Generate a CSR
請使用如下命令生成證書請求文件(CSR):
You need to generate a Certificate Signing Request (CSR) for
the enrollment process, the following command requests Keytool to create
a CSR for the key pair in the keystore:
c:\jdk1.5\bin\keytool –certreq –file certreq.csr –keystore <keystore_filename> -alias <alias_name>
請把生成的certreq.csr 文件複製和粘貼到GlobalSign證書在線申請頁面的CSR文本框中,或直接發給維瑞客服,請等待1-2個工作日後頒發證書。
Copy the contents of the CSR and paste them directly into the
維瑞信 enrollment form. Open the file in a text editor that does not add
extra characters (Notepad or Vi are recommended).
第3步 使用代碼簽名證書 Step 3: Begin Using
(1) 導入簽名證書 Import GlobalSign Codesigning Certificate
一旦GlobalSign驗證了您的真實身份,將會頒發證書給您。您需要到GlobalSign網站下載您的證書,請選擇
PKCS #7 格式證書(PKCS #7 Certificate Chain),此證書格式含有您的證書和根證書鏈,Keytool要求此格式證書
,請把證書保存到您的電腦中。
Once GlobalSign has verified your identity, we will send a
confirmation e-mail with your Sun Java Code Signing Certificate
attached. Upon receipt, the attached Code Signing Certificate is saved
to a file on your computer. A Code Signing Certificate is a "trust path"
or "chain" back to the GlobalSign root certificate. This "trust path"
allows your code to be validated on any standard JRE without installing
any additional files.
請使用如下命令導入您的證書到keystore 中,這裏假設您的證書名稱爲:cert.cer,請同時指明詳細路徑,一旦成功導入證書,請及時備份您的keystore文件:
To import your Sun Java Signing Code Signing Certificate into
your keystore, enter the following code with the path correct name for
your file (for example, “cert.cer”).
c:\jdk1.5\bin\keytool -import –trustcacerts –keystore <keystore_filename> -alias <alias_name> -file cert.cer
(2) 把Applet代碼打包成JAR文件 Bundle Applet into a JAR File
請使用jar 把您的Java代碼打包成JAR文件,此JAR文件包含了當前目錄及其子目錄的所有Applet文件:
Use jar to bundle your Applets or applications as a JAR file.
This string creates a JAR file C:\TestApplet.jar. The JAR file contains
all the files under the current directory and its sub-directories.
c:\jdk1.5\bin\jar cvf C:\TestApplet.jar
運行後, Jar會顯示: Jar responds:
added manifest
adding: TestApplet.class (in = 94208) (out= 20103)(deflated 78%)
adding: TestHelper.class (in = 16384) (out= 779)(deflated 95%)
(3) 數字簽名Applet Sign Your Applet
使用jarsigner簽名您的JAR文件,最後的參數Mycert爲Keystore中籤名證書的別名:
Use jarsigner to sign the JAR file with the private key you saved in your keystore.
c:\jdk1.5\bin\jarsigner C:\TestApplet.jar MyCert
(a) 會提示您輸入私鑰密碼,請使用您在第1步設置的密碼;
At the prompt, enter the password to your keystore.
(b) 請輸入.jar文件的完整路徑和文件名,MyCert 就是您在生成私鑰和CSR時使用的別名<alias_name>;
In the command syntax, TestApplet represents the name and
location of your JAR file. MyCert must specify the same value that you
used when generating the key pair and certificate signing request (CSR).
(c) Jarsigner 會生成您的代碼摘要(Hash),並把此摘要和您的簽名證書添加到JAR文件中。
Jarsigner hashes your Applet or application and stores the
hash in the JAR file with a copy of your Code Signing Certificate.
如果您已經有了從其他電腦上備份的Keystore文件(如:wotonecs.jks),則可以使用如下命令來簽名JAR文件,最後的參數wotonecs爲Keystore中籤名證書的別名:
c:\jdk1.5\bin\jarsigner -keystore wotonecs.jks C:\TestApplet.jar wotonecs
(d) 使用以下命令驗證已經簽名的JAR文件 Verify the output of your signed JAR file.
c:\jdk1.5\bin\jarsigner -verify -verbose -certs c:\TestApplet.jar
一旦成功簽名,就可以把已經簽名的JAR文件放到網上供用戶下載了,用戶端的Java系統會顯示您的簽名證書信息,如果已經簽名的文件被篡改或損壞,則系統會提醒用戶並拒絕安裝。
When the signed JAR file is downloaded, the Java Runtime
Environment will display your certificate to the user. If the file is
tampered with in any way after it has been signed, the user will be
notified and given the option to refuse installation.