How to Use Jsign to Sign Windows Executable Wrappers and Installers?

Sign Windows Executable File using Jsign

In the catalog of code signing tools, Jsign is a highly preferred tool. It fulfills all the requirements and supports all executable files, installers, and wrappers signing. In addition, you can use it with a physical and cloud-based HSM.

To know more about the signing of executable wrappers and installers, continue further.

What is Jsign?

Jsign is a Java-based tool developed as the Microsoft Authenticode implementation and alternative to SignTool. It is used for signing and timestamping the executable files, installers, and wrappers, such as:

  • MSI (Microsoft Installers)
  • CAB (Cabinet Files)
  • CAT (Catalog Files)
  • Windows Packages
  • Scripts based on VBScript, PowerShell, Jscript, and WSF
  • Installers generated using NSIS, install4j, exe4j, launch4j, and msitools

Top Jsign Features To Know

Jsign offers an extended range of features that make it a top software signing tool. The feature list includes:

  • Support for the latest hashing algorithms, including SHA-1, 256, 384, and 512.
  • Support for PKCS#11, PKCS#12, DigiCert ONE, Google Cloud KMS, HashiCorp Vault, and AWS KMS.
  • Enables the use of multiple signs for a single executable file.
  • Allows the usage of PVK and PEM formats of private key.
  • Compatibility with Maven, Gradle, and Ant.
  • Allows usage of Javadoc, an API for Authenticode Signing

The Use of Jsign with Code Signing Platforms

The Jsign tool is compatible with all significant platforms and cloud-HSMs. You can follow the commands and approaches below to sign your executables according to the platform.

Signing with a Java Keystore

To sign with Java keystore using the Jsign, you are required to execute the following command.

 jsign --keystore keystore.jks --storepass password --alias test \
       --tsaurl application.exe

Here, the command initiates the Jsign tool, and then the keystore, password, timestamp URL, and executable file are defined. As a result, you will receive signed and timestamped software.

Signing with a YubiKey

Before you use Jsign with Yubikey, the Yubico PIV tool should be installed on your system. Once you install it, execute the following command by replacing the parameters according to your certificate, password, and executable file.

jsign --storetype YUBIKEY --storepass 123456 --certfile full-chain.pem application.exe

If your Yubikey HSM stores more than one X.509/code signing certificate, then defining an alias is necessary.

Signing with a SafeNet eToken

To use the combination of Jsign and SafeNet eToken, you must install the SafeNet Authentication Client software. Following it, run the below command, defining your parameters.

jsign --storetype ETOKEN --storepass <PIN> --certfile full-chain.pem application.exe

Signing with a Smart Card

To use a smart card, install the OpenSC on your computer system. If multiple devices are in the network, then define the “keystore” parameter in the following command.

jsign --storetype OPENSC --storepass 123456 --alias test \
       --certfile full-chain.pem application.exe

Signing with AWS Key Management Service

The AWS Key management service lets you store the code signing certificate private key in a cloud-based HSM. While using AWS KSM with Jsign, you need to provide the certificate separately and define the configured AWS region. The command for it is like this:

jsign --storetype AWS \
       --keystore eu-west-3 \
       --storepass "<access-key>|<secret-key>|<session-token>" \
       --alias 12345678-abcd-1234-cdef-1234567890ab \
       --certfile full-chain.pem application.exe

In the above command, “keystore” is used to define the region, “storepass,” for access, session, and token key that you saved on the AWS platform. The Jsign will use the “storepass” parameter for referring to the defined variables or the services, such as IMDSv2 running on the EC2 instance of AWS.

Signing with Azure Key Vault

To use the key and certificate stored in Azure Key Vault, execute the below command, defining storetype, keystore, password, and executable file parameters.

jsign --storetype AZUREKEYVAULT \
       --keystore vaultname \
       --storepass <api-access-token> \
       --alias test application.exe

Signing with DigiCert ONE

To use Jsign with DigiCert ONE, a PKCS#12 holding the certificate and API key is required. The certificate in PKCS#12 will be used for authentication purposes. For signing, the keys and certificate stored in DigiCert ONE will be used with the help of the following command.

jsign --storetype DIGICERTONE \
       --storepass "<api-key>|/path/to/Certificate_pkcs12.p12|<password>" \
       --alias test application.exe

Signing with Google Cloud KMS

To utilize Jsign with Google Cloud KMS, you should ensure that the following permissions are permitted on your Google Cloud account:

  • cloudkms.cryptoKeyVersions.useToSign
  • cloudkms.cryptoKeyVersions.list
  • cloudkms.cryptoKeys.list

Further, execute the following Jsign command and provide the certificate separately as defined.

jsign --storetype GOOGLECLOUD \
       --keystore projects/first-rain-123/locations/global/keyRings/mykeyring \
       --storepass <api-access-token> \
       --alias test/cryptoKeyVersions/1 \
       --certfile full-chain.pem application.exe

You can use the “—alias” parameter as a test if you don’t know the key version or want to use the latest key version. But, it will take some additional time, as an added API call will be generated to fetch the latest key version.

Signing with Google Cloud KMS via HashiCorp Vault

There’s no major change in the command to use Google Cloud KMS through HashiCorp Vault. The “keystore” will refer to the HashiCorp Vault via the defined URL, listing server location, API version, and path to the secret engine.

jsign --storetype HASHICORPVAULT \
       --keystore \
       --storepass <vault-token> \
       --alias test:1 \
       --certfile full-chain.pem application.exe

Which is the Jsign Compatible Code Signing Certificate?

To sign your executable files with Jsign and compatible platforms, you should purchase the certificate from an authentic vendor. Certera, Comodo, DigiCert, and Sectigo are the top certificate authorities whose products are recognized in the industry.

You should also consider such a top CA while availing of a digital certificate. It will help you comply with the latest CA/B protocols and store the private key on a physical as well as cloud-based HSM. Also, you will get the leverage of choosing from IV, OV, and EV certificates, which are compatible with all significant signing tools, platforms, and operating systems.

Concluding Up

Jsign is a highly used signing tool for securing executable files, including installers and Windows wrappers. It’s a Java implementation that provides functionalities similar to Microsoft Authenticode.

Moreover, it can be used with all major KMS and cloud-HSM systems, such as AWS HSM, Google Cloud KMS, DigiCert ONE, and more. Thus, you should prefer using Jsign due to its extensive features and seamless cross-platform compatibility.

DigiCert EV Code Sign CTA
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.