Step by Step Process: Signing and Timestamping Java FAR File

Step:1 After locating the certificate in your browser, export it with the private key while including all the certificates in the chain and exporting extended properties. A password will be required and .PFX will be the file format.

Step:2 Be sure to install and use the latest version of JDK.

Step:3 Run the command below once you create a .bat file:

keytool.exe -importkeystore -srckeystore ExportedCertificateFileExample.pfx -srcstoretype pkcs12 -destkeystore KeystoreFileExample -deststoretype JKS

This will create KeystoreFileExample

Step:4 Run the this command to get the alias value assigned by Comodo:

keytool.exe -list -storepass YourPassword -keystore KeystoreFileExample -v

Note: Your Password is the same which you entered in Step-3.

Step:5 For signing JAR use this syntax:

jarsigner.exe -keypass KeyPasswordExample -keystore KeystoreFileExample -storepass YourStorePassword -tsa http://timestamp.comodoca.com/rfc3161 -digestalg SHA-1 JarNameFile.jar YourAliasString

Password will be the same as used in Step-3.

Note:
  • Store password and key can be different.
  • -digestalg can be the algorithm you choose like, SHA-1 or SHA-256

Step:6 If you want, verify the signed jar using this command:

jarsigner.exe -verify -verbose -certs JarNameFile.jar

One thing to note is that timestamps should comply with the Time Stamping Protocol (RFC3161) if you want to Timestamp with Jarsigner. So, it's better to use timestamp URL https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server with Jarsigner.