This guide provides a straightforward approach to integrating the KeyVault JCA provider with Jarsigner, ensuring a seamless process for users.
Before beginning, ensure you have the following:
- An Azure subscription - create one for free.
- Java Development Kit (JDK) version 8 or 17.
Note: this doc is not supported with JDK21.
- Azure CLI
- jq - a lightweight and flexible command-line JSON processor.
- Ensure you are using one of the following supported algorithms: DSA, RSA, or ECDSA.
- Download the JCA Provider Jar.
- If you are using Java8, you need to add the JCA provider jar to the class path.
- Place the jar under the folder
${JAVA_HOME}/jre/lib/ext
- Place the jar under the folder
- If you are using Java9 or higher, just place the jar in a folder that jarsigner can access.
Follow these steps carefully to achieve successful integration:
- Prepare your parameters
DATE_STRING=$(date +%H%M%S)
RESOURCE_GROUP_NAME=jarsigner-rg-$DATE_STRING
KEYVAULT_NAME=jarsiner-kv-$DATE_STRING
CERT_NAME=jarsiner-cert-$DATE_STRING
SERVICE_PRINCIPAL_NAME=jarsiner-sp-$DATE_STRING
SUBSCRIPTION_ID=$(az account show --query id -o tsv)- Create a resource group
az group create --name $RESOURCE_GROUP_NAME --location "EastUS"- Create a key vault
az keyvault create --name $KEYVAULT_NAME --resource-group $RESOURCE_GROUP_NAME --location "EastUS"- Assign role to create certificates in the Key Vault.
# Get your user object ID (if you're using a user account)
USER_OBJECTID=$(az ad signed-in-user show --query id -o tsv)
# Or if you're using a service principal, get its object ID
# SP_OBJECTID=$(az ad sp show --id <your-sp-id> --query id -o tsv)
# Assign Key Vault Certificates Officer role
az role assignment create \
--role "Key Vault Certificates Officer" \
--assignee $USER_OBJECTID \
--scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.KeyVault/vaults/$KEYVAULT_NAME"- Get the Key Vault URL
KEYVAULT_URL=$(az keyvault show --name $KEYVAULT_NAME --query "properties.vaultUri" --resource-group $RESOURCE_GROUP_NAME -o tsv| tr -d '\r\n')
echo $KEYVAULT_URL- Add a certificate to Key Vault
az keyvault certificate create --vault-name $KEYVAULT_NAME -n $CERT_NAME -p "$(az keyvault certificate get-default-policy)"- Create a Service Principal
SP_JSON=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME)
CLIENT_ID=$(echo $SP_JSON | jq -r '.appId')
CLIENT_SECRET=$(echo $SP_JSON | jq -r '.password')
TENANT=$(echo $SP_JSON | jq -r '.tenant')
echo "CLIENT_ID:"$CLIENT_ID
echo "CLIENT_SECRET:"$CLIENT_SECRET
echo "TENANT:"$TENANT
Note the appId and password from the output, you'll need them later.
- Get the objectId
OBJECTID=$(az ad sp show --id "$CLIENT_ID" --query id -o tsv | tr -d '\r\n')
echo $OBJECTID- Assign Roles to Service Principal:
# Assign Key Vault Secrets Officer role to Service Principal
az role assignment create \
--role "Key Vault Secrets Officer" \
--assignee $OBJECTID \
--scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.KeyVault/vaults/$KEYVAULT_NAME"
# Assign Key Vault Certificates Officer role Service Principal
az role assignment create \
--role "Key Vault Certificates Officer" \
--assignee $OBJECTID \
--scope "/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP_NAME/providers/Microsoft.KeyVault/vaults/$KEYVAULT_NAME"-
Prepare Your Jar: Have the jar file you wish to sign ready.
-
Execute Jarsigner: Use the Jarsigner tool with the KeyVault JCA provider to sign your jar file.
You need to update the parameters with the actuall values.Parameter Description Example PARAM_YOUR_JAR_FILE_PATH The path to your jar file you wish to sign. /path/to/your/jarfile.jar PARAM_JCA_PROVIDER_JAR_PATH The path to the jca provider jar file. /path/to/your/azure-security-keyvault-jca-2.8.1.jar -
If you are using Java8, try to sign the jar using below command
jarsigner -keystore NONE -storetype AzureKeyVault \ -signedjar signerjar.jar ${PARAM_YOUR_JAR_FILE_PATH} "${CERT_NAME}" \ -verbose -storepass "" \ -providerName AzureKeyVault \ -providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider \ -J-Dazure.keyvault.uri=${KEYVAULT_URL} \ -J-Dazure.keyvault.tenant-id=${TENANT} \ -J-Dazure.keyvault.client-id=${CLIENT_ID} \ -J-Dazure.keyvault.client-secret=${CLIENT_SECRET} -
If you are using Java9 or higher, try to sign the jar using below command
jarsigner -keystore NONE -storetype AzureKeyVault \ -signedjar signerjar.jar ${PARAM_YOUR_JAR_FILE_PATH} "${CERT_NAME}" \ -verbose -storepass "" \ -providerName AzureKeyVault \ -providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider \ -J--module-path="${PARAM_JCA_PROVIDER_JAR_PATH}" \ -J--add-modules="com.azure.security.keyvault.jca" \ -J-Dazure.keyvault.uri=${KEYVAULT_URL} \ -J-Dazure.keyvault.tenant-id=${TENANT} \ -J-Dazure.keyvault.client-id=${CLIENT_ID} \ -J-Dazure.keyvault.client-secret=${CLIENT_SECRET}
-
-
Check your output, the output may look like this
You can verify the signed jar using the following Jarsigner command.
jarsigner -verify -verbose -certs signerjar.jarThe output may look like this
By following these steps, you can easily integrate KeyVault JCA provider with Jarsigner. This method ensures a secure and efficient signing process using Azure KeyVault.
To avoid Azure charges, you should clean up unnecessary resources.
az group delete --name $RESOURCE_GROUP_NAME --yes --no-wait
az ad app delete --id $CLIENT_ID