JArchive Signer

ENTERPRISE This is a SignServer Enterprise feature.

The signer has the fully qualified class name: org.signserver.module.jarchive.signer.JArchiveSigner

Overview

The signer signs Java Archives or ZIP files (.jar, .war, .ear, .apk and .zip etc) according to the JAR File Specification. The signature can optionally include a timestamp response from a TSA using the RFC#3161 format.

Available Properties

Property

Description

SIGNATUREALGORITHM

Algorithm for signing. Optional, default: "SHA256withRSA".

DIGESTALGORITHM

Algorithm for message digests. Optional, default: "SHA-256".

ZIPALIGN

True if the offset at which each file entry's data starts should be aligned to 4 bytes. Optional, default: False.

KEEPSIGNATURE

True if existing signature files should be kept. If disabled, no previous META-INF/*.SF,.RSA,.DS or .EC files are kept. Optional, default: True.

REPLACESIGNATURE

True if an existing signature with the same name should be overwritten and not fail with an error. Optional, default: True.

SIGNATURE_NAME_TYPE

Type of signature name to use:

  • KEYALIAS: Takes the name from the key alias of the key used to sign the response, after converting it according to the signature name rules (see SIGNATURE_NAME_VALUE).

  • VALUE: Takes the name from the SIGNATURE_NAME_VALUE property.

Optional, default: KEYALIAS.

SIGNATURE_NAME_VALUE

The value for the signature name if the SIGNATURE_NAME_TYPE requires a value. With the type VALUE, the name is taken directly from this property but must follow the signature name rules:

  • Only characters from A-Z0-9_.-

  • Minimum 1 character

  • Maximum 8 characters

Optional or required depending on SIGNATURE_NAME_TYPE.

TSA_WORKER

Worker ID or name of internal (RFC#3161) timestamp signer in the same SignServer. Optional, default: none.

images/s/en_US/8100/b0984b7297905b7c7bd946458f753ce0130bfc8c/_/images/icons/emoticons/warning.svg Cannot be combined with TSA_URL.

TSA_URL

URL of external (authenticode) timestamp authority. Optional, default: none.

images/s/en_US/8100/b0984b7297905b7c7bd946458f753ce0130bfc8c/_/images/icons/emoticons/warning.svg Cannot be combined with TSA_WORKER.

TSA_USERNAME

Login username used if the TSA uses HTTP Basic Auth. Optional, default: none.

TSA_PASSWORD

Login password used if the TSA uses HTTP Basic Auth. Required if TSA_USERNAME is specified, default: none.

TSA_POLICYOID

Time-stamping policy OID to request from the TSA. Optional, default: none.

TSA_DIGESTALGORITHM

Algorithm for timestamp digests. Optional, default: SHA-256.

DO_LOGREQUEST_DIGEST

If a digest of the request should be computed and logged. Optional, default: true.

LOGREQUEST_DIGESTALGORITHM

Algorithm used to create the message digest (hash) of the request document to put in the log. Default: SHA256.

DO_LOGRESPONSE_DIGEST

If a digest of the response should be computed and logged. Optional, default: true.

LOGRESPONSE_DIGESTALGORITHM

Algorithm used to create the message digest (hash) of the response document to put in the log. Default: SHA256.

Worker Log Fields

Field

Description

REQUEST_DIGEST

A message digest (hash) for the request document in hex encoding.

REQUEST_DIGEST_ALGORITHM

The name of the message digest (hash) algorithm used for the request digest in the log.

RESPONSE_DIGEST

A message digest (hash) for the response document in hex encoding.

RESPONSE_DIGEST_ALGORITHM

The name of the message digest (hash) algorithm used for the response digest in the log.