In the software supply chain, signing and verifying code helps keeping malicious code out of your environment. From SignServer Community release 5.10 you can digitally sign Java Archives, JAR files.
Signing code digitally serves the same purpose as signing a paper document in the physical world: it proves you wrote the document or application code and that the content has not changed since your signature.
Using SignServer for JAR Signing and More
The server-side signature software SignServer signs JAR files using a private key stored in an HSM or in a secure file. The public key and certificate are included in the JAR file so that anyone can verify the signature. Timestamping is also an option. In the same way that a date is affixed to a paper document, a timestamp identifies when the JAR file was signed. Using the timestamp, you can verify that the certificate used to sign the JAR file was valid when it was signed.
JAR signing is supported in SignServer Community from release 5.10. Read more in the release notes.
SignServer is open source-based and allows you to sign not only JAR files but also 20+ other signature formats for code signing, document signing, and timestamping. An HSM is always recommended for storing signature keys in a secure and compliant manner and SignServer supports multiple HSMs from different vendors.
With SignServer, you get a centralized platform to manage all your signature services, consistent security enforcement, and cost-effective key security. SignServer can also be integrated into your standard processes in a variety of ways.