Java代码签名证书申请和使用指南

第1步 下载签名工具 Step 1: Download Signing Tools

若是您尚未签名工具，请到SUN公司网站免费下载：http://java.sun.com/j2se/，推荐下载JDK1.4.2或以上版本，支持Solaris SPARC/x86, Linux86 和 Windows 操做系统。
         If you have not already done so, download the Java 2 Software Development Kit (SDK). The latest version is available free of charge for the Solaris SPARC/x86, Linux86, and Microsoft Windows platforms from http://java.sun.com/j2se/.

您将使用签名工具中的 keytool, jar, jarsigner 来申请代码签名证书和数字签名您的代码。 
         You will be using the keytool, jar, and jarsigner to apply for your Code Signing Certificate and sign your code.

第2步 申请签名证书 Step 2: Enrollment （若是您没有证书，请联系易维信(EVTrust)申请）

(1) 生成私钥和公钥对(Keystore) Create a Keystore

使用如下命令生成私钥和公钥对： 
         To generate a public/private key pair, enter the following command, specifying a name for your keystore and an alias as well.

c:\jdk1.5\bin\keytool -genkey -keyalg rsa -keystore <keystore_filename> -alias <alias_name>

Keytool 会提示您输入私钥密码、您的姓名(Your name，填单位网址)、您的部门名称、单位名称、所在城市、所在省份和国家缩写(中国填：CN，其余国家填其缩写)，单位名称必定要与证实文件上的名称 一致，部门名称(OU)能够不填。除国家缩写必须填CN外，其他均可以是英文或中文。请必定要保存好您的私钥和私钥密码。咱们不会要求您提供私钥文件！
         Keytool prompts you to enter a password for your keystore, your name, organization, and address. The public/private key pair generated by keytool is saved to your keystore and will be used to sign Java Applets and applications. This key is never sent to GlobalSign and is required to sign code. GlobalSign encourages you to make a copy of the public/private key pair and store it in a safe deposit box or other secure location. If the key is lost or stolen, contact GlobalSign immediately to have it revoked.

(2) 生成证书请求文件(CSR) Generate a CSR

请使用以下命令生成证书请求文件(CSR)： 
         You need to generate a Certificate Signing Request (CSR) for the enrollment process, the following command requests Keytool to create a CSR for the key pair in the keystore:

c:\jdk1.5\bin\keytool –certreq –file certreq.csr –keystore <keystore_filename> -alias <alias_name>

请把生成的certreq.csr 文件复制和粘贴到GlobalSign证书在线申请页面的CSR文本框中，或直接发给维瑞客服，请等待1-2个工做往后颁发证书。
         Copy the contents of the CSR and paste them directly into the 维瑞信 enrollment form. Open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).

第3步 使用代码签名证书 Step 3: Begin Using

(1) 导入签名证书 Import GlobalSign Codesigning Certificate

一旦GlobalSign验证了您的真实身份，将会颁发证书给您。您须要到GlobalSign网站下载您的证书，请选择 PKCS #7 格式证书(PKCS #7 Certificate Chain)，此证书格式含有您的证书和根证书链，Keytool要求此格式证书 ，请把证书保存到您的电脑中。
         Once GlobalSign has verified your identity, we will send a confirmation e-mail with your Sun Java Code Signing Certificate attached. Upon receipt, the attached Code Signing Certificate is saved to a file on your computer. A Code Signing Certificate is a "trust path" or "chain" back to the GlobalSign root certificate. This "trust path" allows your code to be validated on any standard JRE without installing any additional files.

请使用以下命令导入您的证书到keystore 中，这里假设您的证书名称为：cert.cer，请同时指明详细路径，一旦成功导入证书，请及时备份您的keystore文件： 
         To import your Sun Java Signing Code Signing Certificate into your keystore, enter the following code with the path correct name for your file (for example, “cert.cer”).

c:\jdk1.5\bin\keytool -import –trustcacerts –keystore <keystore_filename> -alias <alias_name> -file cert.cer

(2) 把Applet代码打包成JAR文件 Bundle Applet into a JAR File

请使用jar 把您的Java代码打包成JAR文件，此JAR文件包含了当前目录及其子目录的全部Applet文件： 
         Use jar to bundle your Applets or applications as a JAR file. This string creates a JAR file C:\TestApplet.jar. The JAR file contains all the files under the current directory and its sub-directories.

c:\jdk1.5\bin\jar cvf C:\TestApplet.jar

运行后， Jar会显示： Jar responds:

added manifest 
         adding: TestApplet.class (in = 94208) (out= 20103)(deflated 78%) 
         adding: TestHelper.class (in = 16384) (out= 779)(deflated 95%)

(3) 数字签名Applet Sign Your Applet

使用jarsigner签名您的JAR文件，最后的参数Mycert为Keystore中签名证书的别名：
         Use jarsigner to sign the JAR file with the private key you saved in your keystore.

c:\jdk1.5\bin\jarsigner C:\TestApplet.jar MyCert

(a) 会提示您输入私钥密码，请使用您在第1步设置的密码；
         At the prompt, enter the password to your keystore. 
 
         (b) 请输入.jar文件的完整路径和文件名，MyCert 就是您在生成私钥和CSR时使用的别名<alias_name>；
         In the command syntax, TestApplet represents the name and location of your JAR file. MyCert must specify the same value that you used when generating the key pair and certificate signing request (CSR).
 
         (c) Jarsigner 会生成您的代码摘要(Hash)，并把此摘要和您的签名证书添加到JAR文件中。
         Jarsigner hashes your Applet or application and stores the hash in the JAR file with a copy of your Code Signing Certificate.

若是您已经有了从其余电脑上备份的Keystore文件(如：wotonecs.jks)，则能够使用以下命令来签名JAR文件，最后的参数wotonecs为Keystore中签名证书的别名：

c:\jdk1.5\bin\jarsigner -keystore wotonecs.jks C:\TestApplet.jar wotonecs

(d) 使用如下命令验证已经签名的JAR文件 Verify the output of your signed JAR file.

c:\jdk1.5\bin\jarsigner -verify -verbose -certs c:\TestApplet.jar

一旦成功签名，就能够把已经签名的JAR文件放到网上供用户下载了，用户端的Java系统会显示您的签名证书信息，若是已经签名的文件被篡改或损坏，则系统会提醒用户并拒绝安装。           When the signed JAR file is downloaded, the Java Runtime Environment will display your certificate to the user. If the file is tampered with in any way after it has been signed, the user will be notified and given the option to refuse installation.