Code Signing Reading Time: 6 minutes

Perform Signing with JSign Tool and PKCS#11 Library

Imagine you’re about to download a file from the internet. How do you know it’s safe? How do you know it’s really from who it claims to be and that nobody has tampered with it along the way? This is where code signing comes in. Code signing is like a digital guarantee, assuring you about the origin and integrity of the software.  

With the help of our PKCS11 Wrapper, which is a software library that interacts with Hardware Security Modules (HSMs), smart cards, or any key vaults, you can improve the efficiency of the code signing process for your organization. Along with PKCS#11 Wrapper, we will use the JSign for signing, verifying, encrypting, and decrypting executable files, installer packages, and scripts. 

What is JSign?

JSign is a free command-line tool available for Linux, Windows, and MacOS. It allows for platform-independent signing of a wide range of artifacts, such as Windows executables, software installers, scripts, and many more.

JSign Tools

Configuration of PKCS#11 Wrapper on Ubuntu 

Prerequisites 

Before we look into the process of signing using JSign Tool and our PKCS11 Wrapper in Linux (Ubuntu) machine, ensure the following are ready: 

  • Ubuntu Version:Ubuntu version 22.04 or later (tested environment is Ubuntu 24.02)   
  • Dependencies:Install liblog4cxx12 and curl.  

To install the dependencies, run the following commands 

  • sudo apt-get install curl  
  • sudo apt-get install liblog4cxx12 

Installing EC’s PKCS#11 Wrapper  

Step 1: Go to EC CodeSign Secure’s v3.02’sSigning Tools section and download the PKCS#11 Wrapper for Ubuntu.

CodeSigning signing tools

Step 2: After that, generate a P12 Authentication certificate from the System Setup > User > Generate Authentication Certificate dropdown. 

P12 Authentication certificate

Step 3: Go to your Ubuntu client system and edit the configuration files (ec_PKCS#11client.ini and PKCS#11properties.cfg) downloaded in the PKCS#11 Wrapper.  

Edit config files

Installing JSign Tool 

Step 1: Install the latest version of JSign Tool (DEB package) using this link.

install jsign tool
install jsign tool

Step 2: Install the Debian package 

sudo dpkg –install jsign_7.0_all.deb 

install debian package

Step 3: Check whether JSign has been properly installed or not 

jsign

check jsign installed

Install Java on your Ubuntu machine. 

You will also need to install Java (Java 17 or lower) on your Ubuntu machine for JSign to work with our PKCS11 Wrapper.  

Step 1: Install Java 17 on your Ubuntu machine. 

sudo apt install openjdk-17-jdk 

install java17 on ubuntu

Step 2: Set Java 17 as the active version  

sudo update-alternatives –config java 

set as active version

Step 3: Check whether Java has been installed properly or not  

java -version 

check java installed

Signing  

Step 1:  Change the working directory of the terminal to that folder which contains your “ec_pkcs11client.ini” and “pkcs11properties.cfg” files. 

change working directory

Step 2: Run the signing command from this directory.  

<Path of JSign tool> –keystore <Path of pkcs11properties.cfg> –storepass NONE –storetype PKCS11 –alias <Key alias of the signing certificate> <Path of the file to be signed> 

A sample command is provided below: 

jsign –keystore pkcs11properties.cfg –storepass NONE –storetype PKCS11 –alias gpg2 build_project.ps1

sample command

Configuration of PKCS#11 Wrapper on Windows

Prerequisites

Before we look into the process of using JSign Tool and our PKCS11 Wrapper on a Windows machine, ensure the following are ready: 

  • Windows Version: Windows 11 (tested environment is Windows 11 23H2)

Installing EC’s PKCS#11 Wrapper  

Step 1: Go to EC CodeSign Secure’s v3.02’s Signing Tools section and download the PKCS#11 Wrapper for Windows.

codeSigning signing tools windows

Step 2: After that, generate a P12 Authentication certificate from the System Setup > User > Generate Authentication Certificate dropdown.

P12 Authentication certificate

Step 3: Go to your Windows client system and edit the configuration files (ec_PKCS#11client.ini and PKCS#11properties.cfg) downloaded in the PKCS#11 Wrapper.  

edit config files windows
edit config-files windows 2

Install Java on your Windows machine.

You will also need to install Java (Java 22 or lower) on your Windows machine for JSign to work with our PKCS11 Wrapper.  

Step 1: Install Java 22 (.exe installer) on your Windows machine from Oracle’s official site.  

install java windows

Step 2: Follow the instructions to install Java 22 on your machine.

follow instructions
follow instructions

Step 3: Set Java 22 as the active version by storing the bin path in the PATH variable.

set as active version windows

Installing JSign Tool 

Step 1: Install the latest version of JSign Tool (JAR package) using this link. 

install jsign tool

Step 2: Check whether JSign has been properly installed or not 

java -jar <Path of JSign Jar Package>  

Signing 

Step 1: Change the working directory of the terminal to the folder that contains your “ec_pkcs11client.ini” and “pkcs11properties.cfg” files.

change working directory windows

Step 2: Run the signing command from this directory. 

java -jar <Path of JSign jar file> –keystore <Path of pkcs11properties.cfg> –storepass NONE –storetype PKCS11 –alias <Key alias of the signing certificate> <Path of file to be signed> 

A sample command is provided below: 

java -jar jsign-7.0.jar –keystore pkcs11properties.cfg –storepass NONE –storetype PKCS11 –alias gpg2 build_project.ps1

sample command windows

Configuration of PKCS#11 Wrapper on MacOS 

Prerequisites

Before we look into the process of using JSign Tool and our PKCS11 Wrapper on a MacOS machine, ensure the following are ready: 

  • MacOS Version: Sequoia 15.2 (tested environment Sequoia 15.2)  
  • Dependencies:Install liblog4cxx and curl.  

To install the dependencies, run the following commands 

  • brew install curl 
  • brew install log4cxx 

Installing EC’s PKCS#11 Wrapper

Step 1: Go to EC CodeSign Secure’s v3.02’s Signing Tools section and download the PKCS#11 Wrapper for MacOS.

codeSigning signing tools mac

Step 2: After that, generate a P12 Authentication certificate from the System Setup > User > Generate Authentication Certificate dropdown. 

P12 Authentication certificate

Step 3: Go to your MacOS client system and edit the configuration files (ec_PKCS#11client.ini and PKCS#11properties.cfg) downloaded in the PKCS11 Wrapper. 

edit config file mac

Install Java on your MacOS machine

You will also need to install Java (Java 17 or lower) on your MacOS machine for JSign to work with our PKCS11 Wrapper.  

Step 1: Install Java 17 on your MacOS machine. 

brew install openjdk@17 

Step 2: Find the location where Java 17 is installed on your machine 

brew info to openjdk@17 

Step 3: Set Java 17 as the active version. 

For Zsh: nano ~/.zshrc 

For Bash: nano ~/.bash_profile 

After running the above command, add these lines: 

export PATH=<Path of Java 17 bin folder>:$PATH 

export JAVA_HOME=<Path of Java 17 bin folder> 

install java mac

Step 4: Reload the environment variables 

For Zsh: source ~/.zshrc  

For Bash: source ~/.bash_profile

Installing JSign Tool 

Step 1: Install the latest version of JSign Tool (JAR package) using this link. 

install jsign tool

Step 2: Check whether JSign has been properly installed or not 

java -jar <Path of JSign Jar Package>  

Signing

Step 1: Change the working directory of the terminal to the folder that contains your “ec_pkcs11client.ini” and “pkcs11properties.cfg” files. 

Step 2: Run the signing command from this directory. 

java -jar <Path of JSign jar file> –keystore <Path of pkcs11properties.cfg> –storepass NONE –storetype PKCS11 –alias <Key alias of the signing certificate> <Path of file to be signed> 

A sample command is provided below: 

java -jar jsign-7.0.jar –keystore pkcs11properties.cfg –storepass NONE –storetype PKCS11 –alias gpg2 build_project.ps1 

run signing command mac

Conclusion 

Encryption Consulting’s PKCS Wrapper simplifies the code signing process with JSign on Linux, Windows, and macOS. This integration simplifies a complex task, making it more manageable and less prone to errors.  

If you want a smooth and reliable signing experience that scales with your needs, consider exploring our code-signing product, CodeSign Secure. This solution will enhance your organization’s security by enforcing best practices and offering detailed audit trails. CodeSign Secure is a comprehensive tool designed to elevate your code-signing workflow to the next level. 

Free Downloads

Datasheet of Code Signing Solution

Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code.

Download

About the Author

Aryan Kumar's profile picture

Aryan Ajay Kumar is a cybersecurity consultant at Encryption Consulting. He safeguards data for clients by leveraging his knowledge of various technical domains, such as PKI, HSM, and Code Signing. His programming skills and knowledge of data science further enhance his ability to create complex cloud solutions. Aryan's impressive track record includes successful collaborations with top organizations on high-profile projects. Aryan's life also extends far beyond the world of cybersecurity. He enjoys playing football and is an avid reader. He is always seeking new ways to grow personally and professionally and loves various creative pursuits, like crafting or watching an inspiring movie. His passion for life and work enables him to contribute unique ideas and unwavering dedication.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo