Have a question? Want to report an issue? Contact JFrog support

Skip to end of metadata
Go to start of metadata

Overview

Java Web Start is a technology developed by Sun Microsystems (now Oracle) to allow you to download and run Java applications directly from your browser with one-click activation.

Java Web Start requires that any JAR downloaded is signed by the software vendor. To support this requirement, Artifactory lets you manage a set of signing keys that are used to automatically sign JAR files downloaded from a virtual repository.

For more information, please refer to the Oracle documentation for Java Web Start

Managing Signing Keys

Signing keys are managed in the Admin module under Security | Signing Keys.

Debian Signing Key

Debian signing keys are also managed on this page, however these are not related to JAR signing. For details, please refer to Debian Signing Keys.

Generating JAR Signing Keys

In order to sign JAR files, you first need to create a keystore, and generate and add key pairs to it. These can be created with Oracle's keytool utility, that comes built into your Java Runtime Environment (JRE), by executing the following command:

keytool -keystore <keystore filename> -keypass <key_password> -storepass <store_password> -alias <store_alias> \
-genkeypair -dname "cn=<cName>, ou=<orgUnit>, o=<orgName>, S=<stateName>, c=<country>" -validity <days>

For details, please refer to the Oracle  keytool - Key and Certificate Management Tool documentation.

Page Contents

Setting Your Keystore and Keys

Before you can add a keystore, you must set the password that will be needed to make any later changes to the keystore. You will need this password to remove or update the keystore.

Set the password and click "Create". This will unlock the rest of the keystore management fields.

Changing the keystore password

Once your keystore password is set and you have created a keystore and a set of signing keys, you can add them to Artifactory. 

First upload your keystore file under Add Key-Store and enter the keystore password. Click "Unlock"

Adding a keystore

Once your keystore is set in Artifactory you may add key pairs under Add Key-Pair.

Adding a keypair

Removing a Key Pair

To remove a key pair, simply select the key pair and click "Remove".

Removing a key pair

Configuring Virtual Repositories to Sign JARs

Once Artifactory has a keystore and key pairs, you can configure a virtual repository with the key pair you wish to use for JAR signing. This is done in the Advanced settings of the virtual repository configuration screen.

Setting a signing key pair in a virtual repository

  • No labels