Jsign is a Java implementation of Microsoft Authenticode that lets you sign and timestamp executable files for Windows, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX) and scripts. Jsign is platform independent and provides an alternative to native tools like signcode/signtool on Windows or the Mono development tools on Unix systems.
Jsign comes as an easy-to-use task/plugin for the main build systems (Maven, Gradle, Ant). It's especially suitable for signing executable wrappers and installers generated by tools like NSIS, msitools, install4j, exe4j or launch4j. Jsign can also be used programmatically or standalone as a command line tool.
Jsign is free to use and licensed under the Apache License version 2.0.
- Platform independent signing of Windows executables, DLLs, Microsoft Installers (MSI), Cabinet files (CAB), Catalog files (CAT), Windows packages (APPX/MSIX) and scripts (PowerShell, VBScript, JScript, WSF)
- Timestamping with retries and fallback on alternative servers (RFC 3161 and Authenticode protocols supported)
- Supports multiple signatures per file, for all file types
- Extracts and embeds detached signatures to support reproducible builds
- Hashing algorithms: MD5, SHA-1, SHA-256, SHA-384 and SHA-512
- Keystores supported:
- PKCS#12, JKS and JCEKS files
- PKCS#11 hardware tokens (YubiKey, Nitrokey, etc)
- Cloud key management systems (AWS KMS, Azure Key Vault, DigiCert ONE, Google Cloud KMS, SSL.com eSigner, HashiCorp Vault)
- Private key formats: PVK and PEM (PKCS#1 and PKCS#8), encrypted or not
- Certificates: PKCS#7 in PEM and DER format
- Build tools integration (Maven, Gradle, Ant)
- Command line signing tool
- Authenticode signing API (Javadoc)
See https://ebourg.github.io/jsign for more information.
- APPX/MSIX package signing has been implemented (thanks to Maciej Panek for the help)
- The certificate chain in the file specified by the
certfile
parameter can now be in any order - API changes:
- The signature can be removed by setting a null signature on the
Signable
object
- The signature can be removed by setting a null signature on the
- The AWS KMS signing service has been integrated (with contributions from Vincent Malmedy)
- Nitrokey support has been improved with automatic PKCS#11 configuration using the new
NITROKEY
storetype - Smart cards are now supported with the new
OPENSC
storetype - OpenPGP cards are now supported with the new
OPENPGP
storetype - Google Cloud KMS via HashiCorp Vault is now supported with the new
HASHICORPVAULT
storetype (contributed by Maria Merkel) - The Maven plugin can now use passwords defined in the Maven settings.xml file
- The "X.509 Certificate for PIV Authentication" on a Yubikey (slot 9a) is now automatically detected
- SHA-1 signing with Azure Key Vault is now possible (contributed by Andrij Abyzov)
- MSI signing has been improved:
- MSI files with embedded sub storages (such as localized installers) are now supported
- Signing a MSI file already signed with an extended signature is no longer rejected
- An issue causing some MSI files to become corrupted once signed has been fixed
- A user friendly error message is now displayed when the private key and the certificate don't match
- Setting
-Djava.security.debug=sunpkcs11
with theYUBIKEY
storetype no longer triggers an error - The cloud keystore name is no longer treated as a relative file by the Ant task and the Maven plugin
- The paths are resolved relatively to the Ant/Maven/Gradle subproject or module directory instead of the root directory
- Signing with SSL.com eSigner now also works when the malware scanning feature is enabled
- API changes:
- The
KeyStoreUtils
class has been replaced byKeyStoreBuilder
- The
- Upgraded BouncyCastle to 1.73
- Signing of Windows catalog files has been implemented
- The syntax to invoke the Gradle plugin with the Kotlin DSL has been simplified
- Several OutOfMemoryError caused by invalid input files have been fixed (thanks to OSS-Fuzz)
- API changes:
- The Signable interface now extends Closeable and can be used in try-with-resources blocks
- Files are no longer closed after signing
- Most parsing errors are now rethrown as IOException
- Upgraded BouncyCastle to 1.71.1
- The SSL.com eSigner service has been integrated
- The Ant task can now sign multiple files by defining a fileset (contributed by Kyle Berezin)
- The type of the keystore is now automatically detected from the file header
- The
storepass
andkeypass
parameters can now be read from a file or from an environment variable - The execution of the Maven plugin can now be skipped (with the
<skip>
configuration element, or thejsign.skip
property) - Fixed the "Map failed" OutOfMemoryError when signing large MSI files
- Certificates using an elliptic-curve key are now supported
- The default timestamping authority is now Sectigo instead of Comodo
- The signed file is now properly closed after attaching or detaching a signature (contributed by Mark Thomas)
- A detached signature added to a PE file whose length isn't a multiple of 8 is no longer invalid
- Fixed an error when signing with a Yubikey on Windows with a 32-bit JRE
- The PKCS#11 slot of the Yubikey is now automatically detected
- Upgraded BouncyCastle to 1.71
- MS Cabinet signing has been implemented (contributed by Joseph Lee)
- Signatures can be detached and re-attached to make the builds reproducible without access to the private key
- The new
YUBIKEY
storetype can be specified to sign with a YubiKey (the SunPKCS11 provider is automatically configured) - The Azure Key Vault, DigiCert ONE and Google Cloud KMS cloud key management systems have been integrated
- The Maven plugin can now sign multiple files by defining a fileset (contributed by Bernhard Stiftner).
- The command line tool can now sign multiple files
- The
alias
parameter is now optional if the keystore contains only one entry (contributed by Michele Locati) - The keystore aliases are now listed in the error message if the alias specified is incorrect
- The
storetype
parameter is no longer required for JCEKS keystores - Fixed the update of the PE checksum (contributed by Markus Kilås)
- The
CMSAlgorithmProtection
attribute is no longer added to the signature (contributed by Yegor Yarko) - The signature algorithm is identified as
RSA
instead ofsha*RSA
when using SHA-2 digests (contributed by Yegor Yarko) - Upgraded BouncyCastle to 1.69
- Certificate files can now be used with a PKCS11 token to support OpenPGP cards unable to hold a whole certificate chain (contributed by Erwin Tratar)
- Fixed an IllegalArgumentException when parsing large entries of MSI files
- Jsign now requires Java 8 or higher
- MSI signing has been implemented
- Script signing has been implemented: PowerShell (contributed by Björn Kautler), VBScript, JScript and WSF
- The Maven plugin now uses the proxy defined in the Maven settings for the timestamping (contributed by Denny Bayer)
- The Maven plugin now accepts passwords encrypted using the Maven security settings (contributed by Denny Bayer)
- The Maven plugin is now bound by default to the
package
phase - The timestamping is no longer enabled by default with the Maven plugin
- Renamed the command line tool from
pesign
tojsign
- Renamed the Ant task and the Gradle extension method from
signexe
tojsign
- SOCKS proxies are now supported
- Fixed the invalid SHA-512 signatures (contributed by Markus Kilås)
- The non-timestamped signatures are now reproducible (the
signingTime
attribute has been removed) - Upgraded BouncyCastle to 1.64
- Fixed the loading of SunPKCS11 configuration files with Java 9
- SunPKCS11 configuration files can be loaded from any directory
- Maven plugin settings can now be passed on the command line (contributed by Nicolas Roduit)
- The first timestamping authority specified is no longer skipped (contributed by Thomas Atzmueller)
- Fixed the typo on the withTimestampingAuthority() methods in PESigner (contributed by Bjørn Madsen)
- Upgraded BouncyCastle to 1.60
- Jsign now requires Java 7 or higher
- Multiple signatures are now supported. New signatures can replace or be added to the previous ones.
- PKCS#11 hardware tokens are now supported.
- The signature algorithm can now be specified independently of the digest algorithm (contributed by Markus Kilås)
- Timestamping is attempted 3 times by default with a 10 seconds pause if an exception occurs (contributed by Erwin Tratar)
- Timestamping can now fail over to other services
- Private keys in PEM format are now supported (PKCS#1 and PKCS#8, encrypted or not)
- Upgraded BouncyCastle to 1.54 (contributed by Markus Kilås)
- Fixed the Accept header for RFC 3161 requests (contributed by Markus Kilås)
- Internal refactoring to share the code between the Ant task and the CLI tool (contributed by Michael Peterson)
- The code has been split into distinct modules (core, ant, cli).
- Jsign is now available as a plugin for Maven (net.jsign:jsign-maven-plugin) and Gradle
- The API can be used to sign in-memory files using a SeekableByteChannel
- The command line tool now supports HTTP proxies (contributed by Michael Szediwy)
- RFC 3161 timestamping services are now supported (contributed by Florent Daigniere)
- The digest algorithm now defaults to SHA-256
- The shaded dependencies are now relocated to avoid conflicts
- Added SHA-384 and SHA-512 checksums support
- SHA-2 is accepted as an alias for SHA-256
- Reduced the memory usage when signing large files
- Files over 2 GB are now supported
- Improved the thread safety
- Command line interface with bash completion for signing files (available as RPM and DEB packages)
- The keystore is no longer locked if the signing fails
- Initial release