Java代码签名证书申请和使用指南

第1步下载签名工具 Step 1: Download Signing Tools

如果您还没有签名工具，请到SUN公司网站免费下载：http://java.sun.com/j2se/，推荐下载JDK1.4.2或以上版本，支持Solaris SPARC/x86, Linux86 和 Windows 操作系统。
If you have not already done so, download the Java 2 Software
Development Kit (SDK). The latest version is available free of charge
for the Solaris SPARC/x86, Linux86, and Microsoft Windows platforms
from http://java.sun.com/j2se/.

您将使用签名工具中的 keytool, jar, jarsigner 来申请代码签名证书和数字签名您的代码。
You will be using the keytool, jar, and jarsigner to apply for your Code Signing Certificate and sign your code.

第2步申请签名证书 Step 2: Enrollment （如果您没有证书，请联系易维信(EVTrust)申请）

(1) 生成私钥和公钥对(Keystore) Create a Keystore

使用以下命令生成私钥和公钥对：
To generate a public/private key pair, enter the following
command, specifying a name for your keystore and an alias as well.

c:\jdk1.5\bin\keytool -genkey -keyalg rsa -keystore <keystore_filename> -alias <alias_name>

Keytool 会提示您输入私钥密码、您的姓名(Your
name，填单位网址)、您的部门名称、单位名称、所在城市、所在省份和国家缩写(中国填：CN，其他国家填其缩写)，单位名称一定要与证明文件上的名称
一致，部门名称(OU)可以不填。除国家缩写必须填CN外，其余都可以是英文或中文。请一定要保存好您的私钥和私钥密码。我们不会要求您提供私钥文件！
Keytool prompts you to enter a password for your keystore,
your name, organization, and address. The public/private key pair
generated by keytool is saved to your keystore and will be used to sign
Java Applets and applications. This key is never sent to GlobalSign and
is required to sign code. GlobalSign encourages you to make a copy of
the public/private key pair and store it in a safe deposit box or other
secure location. If the key is lost or stolen, contact GlobalSign
immediately to have it revoked.

(2) 生成证书请求文件(CSR) Generate a CSR

请使用如下命令生成证书请求文件(CSR)：
You need to generate a Certificate Signing Request (CSR) for
the enrollment process, the following command requests Keytool to create
a CSR for the key pair in the keystore:

c:\jdk1.5\bin\keytool –certreq –file certreq.csr –keystore <keystore_filename> -alias <alias_name>

请把生成的certreq.csr 文件复制和粘贴到GlobalSign证书在线申请页面的CSR文本框中，或直接发给维瑞客服，请等待1-2个工作日后颁发证书。
Copy the contents of the CSR and paste them directly into the
维瑞信 enrollment form. Open the file in a text editor that does not add
extra characters (Notepad or Vi are recommended).

第3步使用代码签名证书 Step 3: Begin Using

(1) 导入签名证书 Import GlobalSign Codesigning Certificate

一旦GlobalSign验证了您的真实身份，将会颁发证书给您。您需要到GlobalSign网站下载您的证书，请选择
PKCS #7 格式证书(PKCS #7 Certificate Chain)，此证书格式含有您的证书和根证书链，Keytool要求此格式证书
，请把证书保存到您的电脑中。
Once GlobalSign has verified your identity, we will send a
confirmation e-mail with your Sun Java Code Signing Certificate
attached. Upon receipt, the attached Code Signing Certificate is saved
to a file on your computer. A Code Signing Certificate is a "trust path"
or "chain" back to the GlobalSign root certificate. This "trust path"
allows your code to be validated on any standard JRE without installing
any additional files.

请使用如下命令导入您的证书到keystore 中，这里假设您的证书名称为：cert.cer，请同时指明详细路径，一旦成功导入证书，请及时备份您的keystore文件：
To import your Sun Java Signing Code Signing Certificate into
your keystore, enter the following code with the path correct name for
your file (for example, “cert.cer”).

c:\jdk1.5\bin\keytool -import –trustcacerts –keystore <keystore_filename> -alias <alias_name> -file cert.cer

(2) 把Applet代码打包成JAR文件 Bundle Applet into a JAR File

请使用jar 把您的Java代码打包成JAR文件，此JAR文件包含了当前目录及其子目录的所有Applet文件：
Use jar to bundle your Applets or applications as a JAR file.
This string creates a JAR file C:\TestApplet.jar. The JAR file contains
all the files under the current directory and its sub-directories.

c:\jdk1.5\bin\jar cvf C:\TestApplet.jar

运行后， Jar会显示： Jar responds:

added manifest
adding: TestApplet.class (in = 94208) (out= 20103)(deflated 78%)
adding: TestHelper.class (in = 16384) (out= 779)(deflated 95%)

(3) 数字签名Applet Sign Your Applet

使用jarsigner签名您的JAR文件，最后的参数Mycert为Keystore中签名证书的别名：
Use jarsigner to sign the JAR file with the private key you saved in your keystore.

c:\jdk1.5\bin\jarsigner C:\TestApplet.jar MyCert

(a) 会提示您输入私钥密码，请使用您在第1步设置的密码；
At the prompt, enter the password to your keystore.

(b) 请输入.jar文件的完整路径和文件名，MyCert 就是您在生成私钥和CSR时使用的别名<alias_name>；
In the command syntax, TestApplet represents the name and
location of your JAR file. MyCert must specify the same value that you
used when generating the key pair and certificate signing request (CSR).

(c) Jarsigner 会生成您的代码摘要(Hash)，并把此摘要和您的签名证书添加到JAR文件中。
Jarsigner hashes your Applet or application and stores the
hash in the JAR file with a copy of your Code Signing Certificate.

如果您已经有了从其他电脑上备份的Keystore文件(如：wotonecs.jks)，则可以使用如下命令来签名JAR文件，最后的参数wotonecs为Keystore中签名证书的别名：

c:\jdk1.5\bin\jarsigner -keystore wotonecs.jks C:\TestApplet.jar wotonecs

(d) 使用以下命令验证已经签名的JAR文件 Verify the output of your signed JAR file.

c:\jdk1.5\bin\jarsigner -verify -verbose -certs c:\TestApplet.jar

一旦成功签名，就可以把已经签名的JAR文件放到网上供用户下载了，用户端的Java系统会显示您的签名证书信息，如果已经签名的文件被篡改或损坏，则系统会提醒用户并拒绝安装。
When the signed JAR file is downloaded, the Java Runtime
Environment will display your certificate to the user. If the file is
tampered with in any way after it has been signed, the user will be
notified and given the option to refuse installation.