Token Based JAR Signing - Windows

Dec 22, 2025

Introduction

This article provides step-by-step instructions for Token Based JAR Signing in Windows Environments. If you are looking for a different solution, please use the search bar above.

Prerequisites

• Before signing, import R6-R45 timestamp cross certificate to Java root CA certificate store. Refer to the following command line for the purpose:
  keytool -import -trustcacerts -alias myrootcert -file "C:\path\to\your\root_certificate.cer" -keystore "C:\path\to\your\cacerts"

Guidelines

You can watch the video below for a tutorial. 

Or, you can check the step by step guidelines below. 

Configuring your JDK

1. Install the 32-bit JDK and locate the JDK bin folder. Note: The default location is "C:\Program Files (x86)\Java\jdk1.X.X_XXX\bin".
   
2. Using notepad or notepad++, create a file named eToken.cfg in the bin folder with the following content as shown below.
   
3. Save the eToken.cfg in the bin folder.

Windows JAR Signing

1. Run the command prompt as administrator. Then navigate to the "jdkx.x.x_xxx\bin" directory where the JarSigner and KeyTool are located, as well as the eToken.cfg file you created.
   
2. Confirm your certificate alias with the following command: 
   keytool -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg
   Enter your keystore passphrase (token password) when prompted.
3. Sign the JAR file using the following command:
   jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/tsa/r45standard -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg /directory/test.jar "certificateAlias"
   Enter your keystore passphrase (token password) when prompted. Then, wait for the output indicating "jar signed".
   
4. Verify the signature by using the following command:
   jarsigner -verify -verbose /directory/test.jar
   You should be getting an output similar to the image below with "jar verified" at the end.