How to Create a (Self-)Signed Jar
Some JARs need to be signed, for example a JAR containing a Java Applet that requires certain privileges. Signing means that a digital signature is used to authenticate the author of the JAR. How exactly digital signatures work is out of the scope of this document (read the Wikipedia article as starting point), but what it effectively does is let somebody certify your identity. Idealy, but not necessarily, this somebody is a trusted certificate authority.
A digital signature has two main components. The first one is your private key that represents you. And then you need a certificate by somebody who certifies that you are who you claim to be. In the simplest case, you can create the certificate yourself. This is called a self-signed certificate. Obviously it is not very trustworthy, because anybody can certificate himself to be anybody. But for testing this is usually the easiest solution. Beside the lack of security, the major disadvantage of self-signed certificates is that the user will see a lot of warnings when installing your software, and may even be unable to install it without having system administrator privileges.
If you want to publish your software for the public, you should get a real certificate from a trusted certificate authority. The next how-to will help you get this, but for now, I show you how to create a self-signed certificate.
To sign a JAR, the first thing you need is the private key. Only you should own this key, as anybody who gets hold of it can claim to be you. Java stores keys in a file called keystore. You must assign each key in the keystore a name, called "alias" by Java (more). The main tool to manage keystores is a command line tool called keytool which ships with the JDK.
This is how to create a new key, either adding it to an existing keystore or creating a new one. The key will automatically be self-signed:
C:\Users\tim\tmp>keytool -genkey -keyalg RSA -alias myFirstKey -keystore myKeystore -validity 360
The command will ask you a couple of questions. First you can protect your keystore with a password, if you create a new one. You should do this if you plan to publish software with the keys in the keystore. Then it will ask you for your name, organization and location. This information is what will be shown to the user and possibly be certified by the certificate authority, so be careful to enter the right values.
Now that you have a (self-signed) key, you can easily sign your JAR with the jarsigner tool:
C:\Users\tim\tmp>jarsigner.exe -keystore myKeystore -verbose jarfiller-example.jar myKey