To sign a .jar with PGP

Hasnain Mujtaba hmujtaba at
Wed Dec 1 00:23:33 CET 2004

Take a look at BouncyCastle's Java OpenPGP provider
( It explains with examples how to sign files
using PGP keys. And it might even give you a PGP to X.509 converter
class which you can use to store your PGP keys in a Java KeyStore.


-----Original Message-----
From: gnupg-users-bounces at
[mailto:gnupg-users-bounces at] On Behalf Of Nicolas BONARDELLE
Sent: Tuesday, November 30, 2004 4:58 PM
To: gnupg-users at
Subject: To sign a .jar with PGP

Hi list,

I'm thinking about using Jar in a Java application I'm coding.
Not only as an archiving means, but also because it can be signed

To make the long story short, the Jar archive would contain a text file,
would be signed by everyone who enters in its possession and agrees with
content of the text file. The signer would then distribute the newly
Jar to others.
Since I can't ask every user to get a X.509 certificate, the idea is to
the .jar with their PGP key by following exactly the Jar and Manifest 
specifications (
Those specs tell us that PKCS7 RSA, PKCS7 DSA and PGP are supported by 
default, and even that one can use its own algorithm.

However, I have a few problems :
1- I can't find any live example of Jar signed with PGP
2- can't even any info about doing it programmatically
3- the 'keytool' util (with Sun's jdk) don't want to import my PGP keys
the .keystore (even if I ask him very kindly) so I can use it with the 
'jarsigner' util :-[

So, a few questions that may protect me from doing naughty things :

1- am I totally nuts to want to do this ?
2- do you know a way to intrude my PGP key in the evil .keystore ?
3- do you know some application on the web (and open source preferably)
PGP to sign Jar archives ?

cheers, cbonar

Gnupg-users mailing list
Gnupg-users at

More information about the Gnupg-users mailing list