Jsign - Authenticode signing tool in Java

Jsign is a versatile code signing tool that allows you to sign and timestamp Windows executable files, installer packages and scripts. Jsign is platform independent and provides an alternative to native tools like signtool on Windows or the Mono development tools on Unix systems. It's particularly well-suited for signing executable wrappers and installers generated by tools such as NSIS, msitools, install4j, exe4j or launch4j. It emphasizes on seamless integration with cloud key management systems and hardware tokens.

Jsign is available as a command line tool for Linux, macOS and Windows, as a task/plugin for various build systems (Maven, Gradle, Ant, GitHub Actions), and as a Java library.

Jsign is free to use and licensed under the Apache License version 2.0.

Features

Platform independent command line tool (Linux, macOS and Windows)
Build tools integration (Maven, Gradle, Ant, GitHub Actions)
File formats supported:
- Windows executables (.exe) and libraries (.dll)
- Microsoft installers (.msi)
- Cabinet files (.cab)
- Catalog files (.cat)
- Windows packages (.appx, .msix)
- Microsoft Dynamics 365 extension packages (.navx)
- NuGet packages (.nupkg)
- Scripts (PowerShell, VBScript, JScript, WSF)
- UEFI executables (.efi)
Timestamping with retries and fallback on alternative servers (RFC 3161 and Authenticode protocols supported)
Supports multiple signatures per file, for all file types
Extracts and embeds detached signatures to support reproducible builds
Tags signed files with unsigned data (for user identification)
Hashing algorithms: MD5, SHA-1, SHA-256, SHA-384 and SHA-512
Keystores supported:
- Keystore files (PKCS#12, JKS, JCEKS, PVK/PKCS#1/PKCS#8 keys and PKCS#7 certificates)
- Hardware tokens (YubiKey, SafeNet eToken, CryptoCertum, Nitrokey, PKCS#11 devices)
- Cloud key management systems:
Certificates: PKCS#7 in PEM and DER format
Automatic download of the intermediate certificates
Authenticode signing API (Javadoc)
JCA security provider to use the keystores supported by Jsign with other tools such as jarsigner or apksigner

See https://ebourg.github.io/jsign for more information.

Changes

Version 7.5 (in development)

LDAP URLs in the Authority Information Access attribute are now ignored and no longer cause an error
The error message displayed when the PE certificate table is corrupted has been improved
Upgraded Bouncy Castle LTS to 2.73.10

Version 7.4 (2025-10-24)

The CryptoCertum cryptographic card is now supported with the new CRYPTOCERTUM storetype (no PKCS#11 module required)
The new command line option --version displays the version of Jsign
The certificate chain is no longer fetched from the keystore when the certfile parameter is specified
Upgraded Bouncy Castle LTS to 2.73.9

Version 7.3 (2025-10-03)

Multiple signatures are now supported for EFI files
The root and intermediate certificates stored in the PIV slots 82 to 95 are now used to build the certificate chain
Self-signed certificates are no longer removed from the certificate store embedded in the signature (contributed by Christian Renz)
The proxy settings are now applied to the connections to the cloud signing services
API changes:
- New Signable.setSignatures(List<CMSSignedData>) method to set multiple signatures (nesting is handled automatically)
- SignatureUtils.getSignatures() now removes the nested signatures from the first signature in the list

Version 7.2 (2025-08-31)

ECS container credentials are now supported when signing with AWS KMS (contributed by Alejandro González)
The keystore parameter can now be specified with the ETOKEN storetype to distinguish between multiple connected devices
The Gradle plugin can now sign multiple files by defining a fileset
The command line tool on Windows now works even if the installation path contains a space (contributed by Tres Finocchiaro)
The file handle is now properly closed when probing the file format
The error handling with DigiCert ONE has been improved (contributed by Alejandro González)
Upgraded Bouncy Castle LTS to 2.73.8

Version 7.1 (2025-02-14)

New signing service: SignPath
The "Unsupported file" error when using the Ant task has been fixed
The timestamp and tag commands have been fixed for MSI, catalog and script files
The RPM package no longer removes the installation directory when upgrading
The --debug, --verbose and --quiet parameters now work for all commands

Version 7.0 (2025-01-16)

New signing services:
- Azure Trusted Signing
- Oracle Cloud
- GaraSign
- HashiCorp Vault Transit (contributed by Eatay Mizrachi)
- Keyfactor SignServer (contributed by Björn Kautler)
Signing of NuGet packages has been implemented (contributed by Sebastian Stamm)
Commands have been added:
- timestamp: timestamps the signatures of a file
- tag: adds unsigned data (such as user identification data) to signed files
- extract: extracts the signature from a signed file, in DER or PEM format
- remove: removes the signature from a signed file
The intermediate certificates are downloaded if missing from the keystore or the certificate chain file
File list files prefixed with @ are now supported with the command line tool to sign multiple files
Wildcard patterns are now accepted by the command line tool to scan directories for files to sign
Jsign now checks if the certificate subject matches the app manifest publisher before signing APPX/MSIX packages (with contributions from Scott Cooper)
The new --debug, --verbose and --quiet parameters control the verbosity of the output messages
The JCA provider now works with apksigner for signing Android applications
RSA 4096 keys are supported with the PIV storetype (for Yubikeys with firmware version 5.7 or higher)
Certificates using an Ed25519 or Ed448 key are now supported (experimental)
Signatures on MSI files with gaps in the mini FAT are no longer invalid
The APPX/MSIX bundles are now signed with the correct Authenticode UUID
The signed APPX/MSIX files no longer contain a [Content_Types].old entry
The error message displayed when the password of a PKCS#12 keystore is missing has been fixed
The log4j configuration warning displayed when signing a MSI file has been fixed (contributed by Pascal Davoust)
The value of the storetype parameter is now case insensitive
The Azure Key Vault account no longer needs the permission to list the keys when signing with jarsigner
The DigiCert ONE host can now be specified with the keystore parameter
The AWS_USE_FIPS_ENDPOINT environment variable is now supported to use the AWS KMS FIPS endpoints (contributed by Sebastian Müller)
On Windows the YubiKey library path is automatically added to the PATH of the command line tool
Signing more than one file with the YUBIKEY storetype no longer triggers a CKR_USER_NOT_LOGGED_IN error
MS Cabinet files with a pre-allocated reserve are now supported
The --certfile parameter can now be used to replace the certificate chain from the keystore
PVK and PEM key files are now properly loaded even if the extension is not recognized (contributed by Alejandro González)
API changes:
- The keystore builder and the JCA provider are now in a separate jsign-crypto module
- The PEFile class has been refactored to keep only the methods related to signing
- The java.util.logging API is now used to log debug messages under the net.jsign logger
- Signable implementations are now discovered dynamically using the ServiceLoader mechanism
- Signable.createContentInfo() has been replaced with Signable.createSignedContent()
Switched to BouncyCastle LTS 2.73.7

Version 6.0 (2024-01-17)

Signing of APPX/MSIX packages has been implemented (thanks to Maciej Panek for the help)
Signing of Microsoft Dynamics 365 extension packages has been implemented
PIV cards are now supported with the new PIV storetype
SafeNet eToken support has been improved with automatic PKCS#11 configuration using the ne

Jsign

Install / Use

README