Is this even possible? I’ve been reading the java 5 docs, and it seems to say that it is ONLY possible to sign things using Sun’s proprietary keystore, which cannot (apparently) import keys you already own, it can only create new ones.
Forgive me for being thick, but I thought the most common way that normal people would sign stuff would be to already have a key, but that scenario isn’t even listed within the tool docs AFAICS ???
No, you can sign things using different kinds of keystores. Here’s a bit of Ant showing you how I use a PKCS#12 keystore that I got from Thawte:
<property name="keystore" value="c:/Projects/Common/build/shavenpuppyltd-code-signing-certificate.pfx" />
<property name="alias" value="puppygames"/>
<property name="storepass" value="sif n00b! get your own cert"/>
<property name="storetype" value="pkcs12"/>
...
<signjar jar="${output}/puppytron.jar"
alias="${alias}"
storepass="${storepass}"
storetype="${storetype}"
keystore="file:${keystore}"
/>
Cas 
Aha. Cool. Um. But I have the certs as certs + private-key rather than in a keystore…?
The commercial cert provider we’re using doesn’t know how to do this either, LOL. They too apparently had no idea that you could use an arbitrary keystore (it’s just not mentioned in the tool doc), and are keen to know how it turns out if I manage it.
They also revealed, incidentally, that they have to strip the ZIPCode field from the certs they generate specifically for people using them with java because of a bug in Sun’s code that barfs on any cert with that field present. I suspect this may be a workaround for a bug that’s now been fixed, but it’s reassuring to know I’m not hte only one who has enduring problems with Sun’s signing code :).
OK, seems to be very simple, althought not checked if it has fully worked yet:
First step, take your private key and your cert (from the provider), and (assuming you have linux and have installed openssl)
cat myprivate.key mycertificatefromprovider.crt | openssl pkcs12 -export -out mykeystore.keys -noiter -nomaciter -name aliasthatjavawilluse
…which will prompt you for a password to secure the keystore
Then take the generated .keys file - your new keystore - and use that to sign a JAR:
jarsigner -storetype pkcs12 -keystore mykeystore.keys -storepass PASSWORD JARFILENAME aliasthatjavawilluse
I used IBM’s loony KeyTool to do the job. It has a GUI However, the GUI was designed by a Linux kernel engineer with some unnamed grudge against all of Creation, and it is a succession of trials, each one even more fiendish than the last.
Cas
* blahblahblahh is utterly fed up of the unremitting crapness exhibited in Sun’s and Apple’s JWS implementations, especially w.r.t. the weak parsers and useless error messages
Sigh. This is proably that “Sun’s parser dies on the ZIP code” bug they were telling me about 