Sign JARs with jarsigner - Infisical

<Info> This guide assumes your Product Admin has already created a [Signer](/documentation/platform/pki/code-signing/signers) and assigned you to it. If the signer has an approval policy, you'll also need [active access](/documentation/platform/pki/code-signing/approvals#access-lifecycle) before signing. </Info>

Sign Java JAR files using jarsigner with the Infisical PKCS#11 module. The module implements the PKCS#11 v2.40 standard, allowing standard signing tools to use Infisical signers without code changes.

Prerequisites

A Signer created by your Product Admin
Active signing access (if an approval policy is attached)
A machine identity added to the Signer
The Infisical PKCS#11 module installed and configured
Java JDK 9 or later (for the -addprovider flag)

Step 1: Set Up Authentication

Configure the Infisical PKCS#11 module with your machine identity credentials. Without this, the signing commands below fail with an auth error.

Create /etc/infisical/pkcs11.conf (or set INFISICAL_PKCS11_CONFIG to point elsewhere):

yaml

auth:
  method: universal-auth
  universal_auth:
    client_id: "<machine-identity-client-id>"
    client_secret: "<machine-identity-client-secret>"

signer:
  id: "<signer-id>"

You can also pass the credentials via environment variables:

bash

export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="<machine-identity-client-id>"
export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="<machine-identity-client-secret>"

<Note> Environment variables override values from the config file. </Note>

For the full set of options, see the PKCS#11 module configuration reference.

Step 2: Create the SunPKCS11 Provider Configuration

Create a configuration file for Java's SunPKCS11 provider. Save it as infisical-pkcs11.cfg:

name = Infisical
library = /usr/local/lib/libinfisical-pkcs11.so

<Note> On macOS, use the `.dylib` extension. On Windows, use `.dll`. </Note>

If you have multiple signers and want to target a specific one, add the slot parameter:

name = Infisical
library = /usr/local/lib/libinfisical-pkcs11.so
slot = 0

Step 3: Sign a JAR

Use jarsigner with the PKCS#11 provider to sign your JAR file:

bash

jarsigner \
  -keystore NONE \
  -storetype PKCS11 \
  -addprovider SunPKCS11 \
  -providerArg infisical-pkcs11.cfg \
  -sigalg SHA256withRSA \
  myapp.jar \
  "release-signer"

<Note> - `-keystore NONE`: Required when using PKCS#11 (no file-based keystore). - `-storetype PKCS11`: Tells jarsigner to use the PKCS#11 provider. - `-sigalg`: Must match the signer's key type. Use `SHA256withRSA` for RSA keys or `SHA256withECDSA` for EC keys. - The last argument (`release-signer`) is the **signer name** (the token label in PKCS#11). </Note>

When prompted for a keystore password, you can either press Enter (the module authenticates automatically using the credentials from your environment variables or config file) or provide the PIN in the format clientId:clientSecret.

Verify the Signature

After signing, verify the JAR signature:

bash

jarsigner -verify -verbose myapp.jar

The output indicates the JAR is signed and verified:

jar verified.

CI/CD Integration

For automated signing in CI/CD pipelines, use environment variables for credentials and suppress the password prompt:

bash

export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="${INFISICAL_CLIENT_ID}"
export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="${INFISICAL_CLIENT_SECRET}"
export INFISICAL_PKCS11_CONFIG="/path/to/pkcs11.conf"

jarsigner \
  -keystore NONE \
  -storetype PKCS11 \
  -addprovider SunPKCS11 \
  -providerArg infisical-pkcs11.cfg \
  -sigalg SHA256withRSA \
  -storepass "" \
  myapp.jar \
  "release-signer"

<Note> - Use `-storepass ""` to avoid the interactive password prompt in non-interactive environments. - Ensure your machine identity has active signing access before the build starts. You can automate access requests via the Infisical API. </Note>

Troubleshooting

For any issue, start by enabling debug logging in your config file to get detailed output:

json

{
  "log_level": "debug",
  "log_file": "/tmp/infisical-pkcs11.log"
}

<AccordionGroup> <Accordion title="CKR_GENERAL_ERROR when signing"> This typically means the signing request was denied by the server. Check that you have active signing access for the signer. You can verify this in the Infisical UI by opening the signer's **Approvals** tab and looking at the **Requests** panel. </Accordion> <Accordion title="No slots visible or authentication errors"> Verify that your credentials are correct and that the machine identity has been added to the Signer. </Accordion> </AccordionGroup>

What's Next?

<CardGroup cols={2}> <Card title="Sign Android APKs" icon="android" href="/documentation/platform/pki/guides/code-signing/apksigner"> Sign Android applications with apksigner </Card> <Card title="Sign with OpenSSL" icon="lock" href="/documentation/platform/pki/guides/code-signing/openssl"> Use OpenSSL with the PKCS#11 module </Card> </CardGroup>