Perform Signing with JSign Tool and PKCS#11 Library

Imagine you’re about to download a file from the internet. How do you know it’s safe? How do you know it’s really from who it claims to be and that nobody has tampered with it along the way? This is where code signing comes in. Code signing is like a digital guarantee, assuring you about the origin and integrity of the software.  

With the help of our PKCS11 Wrapper, which is a software library that interacts with Hardware Security Modules (HSMs), smart cards, or any key vaults, you can improve the efficiency of the code signing process for your organization. Along with PKCS#11 Wrapper, we will use the JSign for signing, verifying, encrypting, and decrypting executable files, installer packages, and scripts. 

What is JSign?

JSign is a free command-line tool available for Linux, Windows, and MacOS. It allows for platform-independent signing of a wide range of artifacts, such as Windows executables, software installers, scripts, and many more.

Configuration of PKCS#11 Wrapper on Ubuntu 

Prerequisites 

Before we look into the process of signing using JSign Tool and our PKCS11 Wrapper in Linux (Ubuntu) machine, ensure the following are ready: 

• Ubuntu Version: Ubuntu version 22.04 or later (tested environment is Ubuntu 24.02)   

• Dependencies: Install liblog4cxx12 and curl.  

To install the dependencies, run the following commands 

• sudo apt-get install curl  

• sudo apt-get install liblog4cxx12 

Installing EC’s PKCS#11 Wrapper  

Step 1: Go to EC CodeSign Secure’s v3.02’s Signing Tools section and download the PKCS#11 Wrapper for Ubuntu.

Step 2: After that, generate a P12 Authentication certificate from the System Setup > User > Generate Authentication Certificate dropdown. 

Step 3: Go to your Ubuntu client system and edit the configuration files (ec_PKCS#11client.ini and PKCS#11properties.cfg) downloaded in the PKCS#11 Wrapper.  

Installing JSign Tool 

Step 1: Install the latest version of JSign Tool (DEB package) using this link. 

Step 2: Install the Debian package 

sudo dpkg –install jsign_7.0_all.deb 

Step 3: Check whether JSign has been properly installed or not 

jsign

Install Java on your Ubuntu machine. 

You will also need to install Java (Java 17 or lower) on your Ubuntu machine for JSign to work with our PKCS11 Wrapper.  

Step 1: Install Java 17 on your Ubuntu machine. 

sudo apt install openjdk-17-jdk 

Step 2: Set Java 17 as the active version  

sudo update-alternatives –config java 

Step 3: Check whether Java has been installed properly or not  

java -version 

Signing  

Step 1:  Change the working directory of the terminal to that folder which contains your “ec_pkcs11client.ini” and “pkcs11properties.cfg” files. 

Step 2: Run the signing command from this directory.  

<Path of JSign tool> –keystore <Path of pkcs11properties.cfg> –storepass NONE –storetype PKCS11 –alias <Key alias of the signing certificate> <Path of the file to be signed> 

A sample command is provided below: 

jsign –keystore pkcs11properties.cfg –storepass NONE –storetype PKCS11 –alias gpg2 build_project.ps1

Configuration of PKCS#11 Wrapper on Windows

Prerequisites

Before we look into the process of using JSign Tool and our PKCS11 Wrapper on a Windows machine, ensure the following are ready: 

• Windows Version: Windows 11 (tested environment is Windows 11 23H2)

Installing EC’s PKCS#11 Wrapper  

Step 1: Go to EC CodeSign Secure’s v3.02’s Signing Tools section and download the PKCS#11 Wrapper for Windows.

Step 2: After that, generate a P12 Authentication certificate from the System Setup > User > Generate Authentication Certificate dropdown.

Step 3: Go to your Windows client system and edit the configuration files (ec_PKCS#11client.ini and PKCS#11properties.cfg) downloaded in the PKCS#11 Wrapper.  

Install Java on your Windows machine.

You will also need to install Java (Java 22 or lower) on your Windows machine for JSign to work with our PKCS11 Wrapper.  

Step 1: Install Java 22 (.exe installer) on your Windows machine from Oracle’s official site.  

Step 2: Follow the instructions to install Java 22 on your machine.

Step 3: Set Java 22 as the active version by storing the bin path in the PATH variable.

Installing JSign Tool 

Step 1: Install the latest version of JSign Tool (JAR package) using this link. 

Step 2: Check whether JSign has been properly installed or not 

java -jar <Path of JSign Jar Package>  

Signing 

Step 1: Change the working directory of the terminal to the folder that contains your “ec_pkcs11client.ini” and “pkcs11properties.cfg” files.

Step 2: Run the signing command from this directory. 

java -jar <Path of JSign jar file> –keystore <Path of pkcs11properties.cfg> –storepass NONE –storetype PKCS11 –alias <Key alias of the signing certificate> <Path of file to be signed> 

A sample command is provided below: 

java -jar jsign-7.0.jar –keystore pkcs11properties.cfg –storepass NONE –storetype PKCS11 –alias gpg2 build_project.ps1

Configuration of PKCS#11 Wrapper on MacOS 

Prerequisites

Before we look into the process of using JSign Tool and our PKCS11 Wrapper on a MacOS machine, ensure the following are ready: 

• MacOS Version: Sequoia 15.2 (tested environment Sequoia 15.2)  

• Dependencies: Install liblog4cxx and curl.  

To install the dependencies, run the following commands 

• brew install curl 

• brew install log4cxx 

Installing EC’s PKCS#11 Wrapper

Step 1: Go to EC CodeSign Secure’s v3.02’s Signing Tools section and download the PKCS#11 Wrapper for MacOS.

Step 2: After that, generate a P12 Authentication certificate from the System Setup > User > Generate Authentication Certificate dropdown. 

Step 3: Go to your MacOS client system and edit the configuration files (ec_PKCS#11client.ini and PKCS#11properties.cfg) downloaded in the PKCS11 Wrapper. 

Install Java on your MacOS machine

You will also need to install Java (Java 17 or lower) on your MacOS machine for JSign to work with our PKCS11 Wrapper.  

Step 1: Install Java 17 on your MacOS machine. 

brew install openjdk@17 

Step 2: Find the location where Java 17 is installed on your machine 

brew info to openjdk@17 

Step 3: Set Java 17 as the active version. 

For Zsh: nano ~/.zshrc 

For Bash: nano ~/.bash_profile 

After running the above command, add these lines: 

export PATH=<Path of Java 17 bin folder>:$PATH 

export JAVA_HOME=<Path of Java 17 bin folder> 

Step 4: Reload the environment variables 

For Zsh: source ~/.zshrc  

For Bash: source ~/.bash_profile

Installing JSign Tool 

Step 1: Install the latest version of JSign Tool (JAR package) using this link. 

Step 2: Check whether JSign has been properly installed or not 

java -jar <Path of JSign Jar Package>  

Signing

Step 1: Change the working directory of the terminal to the folder that contains your “ec_pkcs11client.ini” and “pkcs11properties.cfg” files. 

Step 2: Run the signing command from this directory. 

java -jar <Path of JSign jar file> –keystore <Path of pkcs11properties.cfg> –storepass NONE –storetype PKCS11 –alias <Key alias of the signing certificate> <Path of file to be signed> 

A sample command is provided below: 

java -jar jsign-7.0.jar –keystore pkcs11properties.cfg –storepass NONE –storetype PKCS11 –alias gpg2 build_project.ps1 

Conclusion 

Encryption Consulting’s PKCS Wrapper simplifies the code signing process with JSign on Linux, Windows, and macOS. This integration simplifies a complex task, making it more manageable and less prone to errors.  

If you want a smooth and reliable signing experience that scales with your needs, consider exploring our code-signing product, CodeSign Secure. This solution will enhance your organization’s security by enforcing best practices and offering detailed audit trails. CodeSign Secure is a comprehensive tool designed to elevate your code-signing workflow to the next level.