Is your organization building new full-stack Java applications like 70% of the enterprises interviewed by Vaadin? Then you can’t do without a Java digital signature, a must-have for any software publisher. Discover in less than 5 minutes what it is, what it does, and how to get one
“Write once, run everywhere.” This is how Sun Microsystem defined the Java programming language when it released it. A few decades later, Java really does run everywhere — from mobile phones (e.g., Android operating system) to Wikipedia search, and from cloud-based applications to the fascinating NASA WorldWind. Even Minecraft is written in Java!
This programming language is so popular among developers that, in 2023, the adoption rate of its latest long-term (LTS) support release (Java 17) grew by 430% year over year. Does it mean that applications written in Java are also highly secure? It depends. Java digital signature is the publishers’ secret weapon that keeps Java applets and applications secure against attacks and unauthorized manipulation. But what is a Java signature, exactly? What does it do? And why should you bother adding it to your products? It’s time to find out.
What Is a Java Digital Signature? A Brief Definition
Java is a platform-independent, object-oriented (i.e., focused on data rather than commands) programming language used to develop web and mobile applications. Owned by Oracle, it’s easy to write and read, and runs on virtually any device.
Java is used by nearly every company (e.g., Amazon, Cloudflare, Netflix). If you’re like the 3 billion people in this world who have an Android phone, then you’re using Java. It’s the perfect match for Internet of Things (IoT) devices and cloud applications.
Its versatility is a hit, even among the bad guys who exploit it to perpetrate their crimes. Log4j attacks, malware infections, ransomware, you name it. This is where the Java security signature comes in.
A Java digital signature is a cryptographic signature that cannot be forged. It confirms the authenticity and integrity of a code (more on that in a moment), and it’s used by developers to sign Java applications that run on desktops as well as applets running in browsers.
To create a Java digital signature, publishers must first purchase a Java code signing certificate from a trusted certificate authority (CA); its private key will need to be stored on a secure hardware token (which the CA will issue with it by default) to meet the industry’s new requirements.
Save Up to 21% on a Java Code Signing Certificate
Digitally sign unlimited JAR files and applications for as little as $211.46/year.
In a nutshell, a Java digital signature gives you a way to assert your digital identity on your Java software applications and show they haven’t been tampered with. This is crucial when you consider that nearly 40% of breaches start with malware.
“Digital signatures can be used to authenticate Java class files and other types of data sent over the network. The author of an object signs the data with his or her digital signature, and we use the author’s public key to authenticate that signature after we retrieve it. We don’t have to communicate with anyone in order to verify the authenticity of the data. We don’t even have to make sure that the communications by which we received the data are secure. We simply check the signature after the data arrives.”
But the next line of the paragraph is important because it asks a critical question: “If it is valid, we know that we have the authentic data and that it has not been tampered with . . . or do we?”
A Java digital signature uses public key cryptography and PKI digital certificates. This potent combination helps a user’s operating system or client:
Confirm the identity of the applet/application’s publisher. When you add a Java security signature to your code, every time a user runs the application, they’ll see your organization’s name listed as a “verified publisher” instead of showing the “unknown publisher” or “untrusted app” warnings. This will prove to your customers that the code is really coming from you (i.e., authenticity).
Prove that the Java/JAR file hasn’t been modified since it was first signed. A Java digital signature works a bit like your iPhone warranty seal: it protects your code from tampering and acts as tangible proof that it hasn’t been modified since it was signed.
Provide non–repudiation of the signer. This helps prevent someone from signing a piece of software and then later denying they were the source of the file.
Interested in learning more about digital signatures? Don’t miss our deep dive into the three uses of digital signatures that can take your security strategy to the next level.
What Files You Can Use Java to Create and Sign
Java can be used to create and sign many types of files, including:
.exe and .msi files on Windows operating systems
.deb and .rpm to run on Linux OSes
How Java Signing Works
Let’s say you’re a developer or publisher who’s looking to sign your latest application. When applying a digital signature, you hash your code using a cryptographic function and sign the outcome (i.e., digest) with your private key. The signed hash is then packaged with your code signing certificate, a timestamp, and your application.
Voila’. This is your digital signature (i.e., signature block).
When a user downloads/installs or runs your signed application, their client will verify the signature’s validity by comparing the hash value generated with the one included in your signature block. If they match, the integrity and authenticity of the file are confirmed, and they’ll be good to go. If they don’t, they’ll be warned that your software can’t be trusted, and the installation or download will stop.
On top of it, users can also view the Java signature details by simply right-clicking on the downloaded code icon, selecting Properties and the Digital Signature tab.
Pro tips:
When you sign your .jar files and applications, ensure you add a timestamp. It’ll extend the validity of your signature even when your Java code signing certificate is expired.
If you have several certificates and keys to manage, create a .PFX file to “Rule them all” in a single, secure bundle. (A hat tip to my fellow Tolkien fans out there.)
Discover how code signing works by checking our article that explores the process step by step.
Why Should You Care About Java Security Signatures?
Java security signatures are the magic ingredients that enable software publishers and developers to boost the security of their codes and build digital trust in their products. A Java signature will:
Secure Java applets and applications from unauthorized manipulation. Applets are small programs used in webpages to generate dynamic and interactive content. An unsigned applet or application could be easily modified by an attacker. All they have to do is to inject malicious code into it. It’s important to note: Most applets have now been replaced by modern alternatives like JavaScript and HTML5. However, Java applications are alive and kicking. Want to maintain their integrity? Apply a Java signature to your codes.
Avoid pop-up warnings during download and installation. Want to get rid of those alarming “Unknown Publisher” or “file.jar was blocked because this type of file can harm your device” message pop-ups that inform users that your application could harm their devices? Add a Java digital signature to your application to display your organization’s information instead. It’ll reassure your users, boost customer trust, and increase software download, installation, and adoption rates. And this takes us to the next point.
(NOTE: To make the Windows Defender warning window disappear altogether, you’ll need to sign using an extended validation [EV] code signing certificate, which is automatically trusted by Windows operating systems and browsers.)
Image caption: Do you really want your customers viewing this alarming “Unknown Publisher” warning every time they download or run your Java-based executables?
Improve your brand and organization’s reputation. 84% of consumers would stop buying from a brand if they lost trust in it. Compare this to the 37% of customers interviewed by PwC who would stick with a business that blows it once, so long as long as the brand takes the necessary steps to fix the issue at hand. A Java digital signature will add a shining star to your brand by showing your clients you care about the security and reliability of your software. So, give signing your code using a Java digital signature a try — your reputation can only benefit from it.
Want to start signing and time stamping your Java applications and .jar files but you don’t know the process? Once you have purchased your Java certificate, and set up your USB token on your device, follow these five simple steps.
Boost User Trust in Your JAR Files — Save Up to 21% on a Java Code Signing Certificate
Prove your Java apps and JAR files are legitimate by signing them with a Java code signing certificate. You can get one starting at $211.46/year.
Final Thoughts on What a Java Digital Signature Is
Java digital signatures are more than just a signature confirming the authenticity of your products. They safeguard all your Java applications and files from malicious tampering. Adding a Java digital signature using an EV code signing certificate even prevents the display of security alerts during the download and installation processes.
To add a Java signature and timestamp to your applications, .exe, .msi and .jar files, all you need to do is to:
Get a digital certificate and secure USB token issued by a publicly trusted CA,
Create a Java digital signature using cryptographic functions and your cryptographic key that’s stored on the token, and
Add a timestamp.
From now on, your application will be cryptographically bound to your Java digital signature. Every time a user runs or downloads the application, their client will be able to validate its integrity. Remember, though: your Java signature’s security is directly proportionate to how carefully your private keys and certificates are stored and managed. Treat them both with care and be sure to follow other code signing best practices.
Want to see how to digitally sign a Java file using a code signing certificate? Be sure to check back on our blog, as we’ll publish a step-by-step article that will walk you through the process of signing .jar files using Windows Command-Line (CMD) using Jarsigner.
Code Signing Best Practices
Want to keep your software and code safe?
Enter your contact information below below to receive your FREE Best Practices PDF:
Contact details collected by CodeSigningStore.com may be used to send you requested information, blog update notices, and for marketing purposes. Learn more…
New users – if this is your first time purchasing a cloud signing product from us, check the email address entered during enrollment for a message from DigiCert. Create your password and follow this guide.
Existing users – if you’ve purchased a cloud signing certificate in this account before, you already have an account. We’ve update your DigiCert CertCentral account to allow another Code Signing Certificate request. Login to your account here.
suspension note
In order to comply with U.S. export control and economic sanctions laws and regulations, as well as our corporate policies, we do not support users accessing our applications from Cuba, Iran, North Korea, Syria, and the regions of Crimea, Donetsk People’s Republic (DNR) and Luhansk People’s Republic (LNR) of Ukraine without prior approval from the U.S. government.
Please be aware that these restrictions apply even when a user is on temporary travel to embargoed regions although the user may not normally reside there. If you believe that you have reached this page in error, please reach out to support.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Token + Shipping
This is the simplest option and what we recommend for most customers. DigiCert will ship a USB eToken to you, then you’ll use DigiCert’s provided software to download and install the certificate onto your USB Token.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Use an Existing Token
If you already own a compatible USB eToken (SafeNet 5110 CC, SafeNet 5110 FIPS, or SafeNet 5110+ FIPS), you can use DigiCert’s provided software to download and install the certificate onto your USB token.
Advanced Option: Install on a Hardware Security Module (HSM)
If you use a cloud or on-prem hardware security module (HSM), you can choose this option to download and install your certificate onto your HSM. DigiCert will send you an email asking you to confirm that your HSM meets the security standards, then they’ll deliver the certificate to you digitally for installation.
Any FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent HSM is compatible for this option. You can use an HSM you manage directly or you may use a key storage/vault solution that uses a compliant HSM (for example, Azure Key Vault or AWS KMS).
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Sectigo on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose this option to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.
Code Signing Certificate Delivery Options
Industry standards set by the CA/B Forum now require that all code signing certificate keys be stored on a FIPS-compliant hardware security module (HSM) or hardware token. This is an industry-wide countermeasure against the rise in breaches associated with stolen signing keys. Only certificates that follow these requirements will be trusted by Microsoft Windows and other platforms.
We offer several options to deliver your code signing certificate in compliance with these new requirements:
Easiest Option: Get your certificate shipped from Comodo CA on a USB token
This is the simplest option and what we recommend for most customers. Just choose one of these options to have your code signing certificate and key shipped to you on a FIPS-compliant eToken (USB token):
Delivery Option
Shipping Details
USB Token + Shipping (US)
Ground shipping to addresses within the United States.
USB Token + Expedited Shipping (US)
Air express shipping to addresses within the United States.
USB Token + International Shipping (non-US)
Choose this option if your shipping address is not in the United States.
You’ll be able to plug the USB token into your computer or server then sign files using your preferred tool (eg. SignTool.exe, JarSigner, etc.)
Advanced Option: Install on your own HSM or hardware token
If you already own a compliant token or HSM, you can choose “Install on Existing HSM” to download and install the certificate onto your supported device:
Luna Network Attached HSM V7.x
YubiKey 5 FIPS Series
Only the listed models are compatible. For compatibility with other HSM models, please choose a DigiCert or GoGetSSL code signing certificate.