How to sign JAR files
From The CA Plex Wiki
When JAR files need to be downloaded as part of a Java applet or Webstart deployment it is best to digitally sign the JAR files.
Note that Plex 6.0 provides integrated support for digital signing as part of the Code Library feature.
For more detailed information on this Digitally Signing of jar files, please consult: http://java.sun.com/developer/Books/javaprogramming/JAR/sign/index.html
Signing with a Test Certificate
1. Make sure that you have a Java SDK keytool and jarsigner in your path. These tools are located in the Java SDK bin directory.
2. Create a new key in a new keystore as follows:
keytool -genkey -keystore myKeystore -alias myself
You will be prompted for information regarding the new key, such as password, name, etc. This will create the myKeystore file on disk.
3. Then create a self-signed test certificate as follows:
keytool -selfcert -alias myself -keystore myKeystore
This will prompt you for a password. Generating the certificate may take a few minutes.
4. Check to make sure that everything is okay. To list the contents of the keystore, use this command:
keytool -list -keystore myKeystore
It should list something like:
Keystore type: jks Keystore provider: SUN
Your keystore contains 1 entry: myself, Tue Jan 23 19:29:32 PST 2001, keyEntry, Certificate fingerprint (MD5): C2:E9:BF:F9:D3:DF:4C:8F:3C:5F:22:9E:AF:0B:42:9D
5. Finally, sign the JAR file with the test certificate as follows:
jarsigner -keystore myKeystore test.jar myself
6. Repeat these steps for all your JAR files.
Note that a self-signed test certificate should only be used for internal testing, since it does not guarantee the identity of the user and therefore cannot be trusted. A trustworthy certificate can be obtained from a certificate authority, such as VeriSign orThawte, and should be used when the application is put into production
Make sure you add the following tag to your .jnlp file:
<security> <all-permissions/> </security>