Signs JAR files with the jarsigner command line tool. It will take a named file in the jar attribute, and an optional destDir or signedJar attribute. Nested paths are also supported; here only an (optional) destDir is allowed. If a destination directory or explicit JAR file name is not provided, JARs are signed in place.
Dependency rules
| Attribute | Description | Required |
| jar | the jar file to sign | Yes, unless nested paths have been used. |
| alias | the alias to sign under | Yes. |
| storepass | password for keystore integrity. | Yes. |
| keystore | keystore location | No |
| storetype | keystore type | No |
| keypass | password for private key (if different) | No |
| sigfile | name of .SF/.DSA file | No |
| signedjar | name of signed JAR file. This can only be set when the jar attribute is set. | No. |
| verbose | (true | false) verbose output when signing | No; default false |
| internalsf | (true | false) include the .SF file inside the signature block | No; default false |
| sectionsonly | (true | false) don't compute hash of entire manifest | No; default false |
| lazy | flag to control whether the presence of a signature file means a JAR is signed. This is only used when the target JAR matches the source JAR | No; default false |
| maxmemory | Specifies the maximum memory the jarsigner VM will use. Specified in the style of standard java memory specs (e.g. 128m = 128 MBytes) | No |
| preservelastmodified | Give the signed files the same last modified time as the original jar files. | No; default false. |
| tsaurl | URL for a timestamp authority for timestamped JAR files in Java1.5+ | No |
| tsacert | alias in the keystore for a timestamp authority for timestamped JAR files in Java1.5+ | No |
| Attribute | Description | Required |
| path | path of JAR files to sign. since Ant 1.7 | No |
| fileset | fileset of JAR files to sign. | No |
| mapper | A mapper to rename jar files during signing | No, and only one can be supplied |
| sysproperty | JVM system properties, with the syntax of Ant environment variables | No, and only one can be supplied |
<signjar jar="${dist}/lib/ant.jar"
alias="apache-group" storepass="secret"/>
signs the ant.jar with alias "apache-group" accessing the keystore and private key via "secret" password.
<signjar destDir="signed"
alias="testonly" keystore="testkeystore"
storepass="apacheant"
preservelastmodified="true">
<path>
<fileset dir="dist" includes="**/*.jar" />
</path>
<flattenmapper />
</signjar>
Sign all JAR files matching the dist/**/*.jar pattern, copying them to the directory "signed" afterwards. The flatten mapper means that they will all be copied to this directory, not to subdirectories.
<signjar
alias="testonly" keystore="testkeystore"
storepass="apacheant"
lazy="true"
>
<path>
<fileset dir="dist" includes="**/*.jar" />
</path>
</signjar>
Sign all the JAR files in dist/**/*.jar in-situ. Lazy signing is used, so the files will only be signed if they are not already signed.
Timestamped JAR files are a new feature in Java1.5; a feature supported in Ant since Ant 1.7. Ant does not yet support proxy setup for this singing process, and the whole TSA feature is not tested yet. Furthermore, the official TSA documentation warns that the API is subject to change. If a future version of Java changes the API, Ant will break. It may be possible to hide changes if and when they occur, but this can not be guaranteed.