Skip to content
QCecuring

Jarsigner Integration

Jarsigner Integration

Section titled “Jarsigner Integration”

Use Java jarsigner to sign JAR files through the QCecuring platform using the PKCS#11 provider and Signing Agent.

All private keys remain protected inside QCecuring.
The PKCS#11 library forwards signing requests to the local agent, which securely communicates with the backend platform and HSM/KMS.

Architecture Overview

Section titled “Architecture Overview”
jarsigner → PKCS#11 Provider → Signing Agent → QCecuring Platform → HSM / KMS

Prerequisites

Section titled “Prerequisites”

Before proceeding:

  • QCecuring Platform is running
  • Signing Agent is installed and running
  • PKCS#11 provider installed (Windows DLL or Linux .so)
  • A signing certificate exists in QCecuring
  • Java 11+ installed

Step 1 — Ensure Signing Agent is Running

Section titled “Step 1 — Ensure Signing Agent is Running”

Verify the agent service is active:

Terminal window
Get-Service QCecuring-Code-Signing-Agent

Status should be:

Running

If not running:

Terminal window
Start-Service QCecuring-Code-Signing-Agent

Step 2 — Create PKCS#11 Configuration File

Section titled “Step 2 — Create PKCS#11 Configuration File”

Create a file named:

qcecuring-codesigning-pkcs11.cfg

Windows Example

Section titled “Windows Example”
name = QCecuringPKCS11
library = C:\Program Files\QCecuring\CodeSigning\agent\qcecuring-codesigning-pkcs11.dll
slot = 0

Linux Example

Section titled “Linux Example”
name = QCecuringPKCS11
library = /opt/qcecuring/codesigning/libqcecuring-codesigning-pkcs11.so
slot = 0

Ensure the library path matches your installation.

Step 3 — Verify Certificates via PKCS#11

Section titled “Step 3 — Verify Certificates via PKCS#11”

Before signing, confirm Java can see available certificates.

Terminal window
keytool -list \
  -keystore NONE \
  -storetype PKCS11 \
  -providerClass sun.security.pkcs11.SunPKCS11 \
  -providerArg qcecuring-codesigning-pkcs11.cfg

Expected output:

Your keystore contains 1 entry
Code Signing Certificate

If no certificates are listed, verify:

  • Agent is running
  • Certificate is ACTIVE in QCecuring
  • Platform connectivity is healthy

Step 4 — Sign the JAR File

Section titled “Step 4 — Sign the JAR File”
Terminal window
jarsigner \
  -keystore NONE \
  -storetype PKCS11 \
  -providerClass sun.security.pkcs11.SunPKCS11 \
  -providerArg qcecuring-codesigning-pkcs11.cfg \
  -storepass "" \
  -signedjar myapp-signed.jar \
  myapp.jar \
  "Code Signing Certificate"

Optional — Add Timestamp

Section titled “Optional — Add Timestamp”

Timestamping is strongly recommended for production:

Terminal window
jarsigner \
  -keystore NONE \
  -storetype PKCS11 \
  -providerClass sun.security.pkcs11.SunPKCS11 \
  -providerArg qcecuring-codesigning-pkcs11.cfg \
  -storepass "" \
  -tsa http://timestamp.digicert.com \
  -signedjar myapp-signed.jar \
  myapp.jar \
  "Code Signing Certificate"

Step 5 — Verify the Signature

Section titled “Step 5 — Verify the Signature”
Terminal window
jarsigner -verify -verbose -certs myapp-signed.jar

Expected:

jar verified.

Troubleshooting

Section titled “Troubleshooting”

”PKCS11 not found”

Section titled “”PKCS11 not found””
  • Verify configuration file path
  • Confirm library path is correct
  • Ensure JVM architecture matches library (64-bit vs 32-bit)

“No certificate found”

Section titled ““No certificate found””
  • Confirm certificate is ACTIVE
  • Ensure agent is running
  • Verify agent connectivity to backend

Signing Fails

Section titled “Signing Fails”
  • Check agent logs
  • Verify key permissions
  • Confirm policy approval (if enabled)