Signing Extensions

The signature of a Java library certifies that the library comes from an identifiable source and that its content has not been altered. The user who executes the library's code can trust the authenticity of the library. This is even more important when the library requires system access that can cause security issues such as data access, network access, etc.

Signing Java libraries is done using the jarsigner tool included with the Java JDK. To do this, you must have a Java signing certificate issued for your organization. These certificates can be purchased from a reputable security company such as Thawte (http://www.thawte.com/) or Verisign (http://www.verisign.com/). Once you have your certificate, you must import it in a keystore using the keytool, which is also included with the Java JDK. Note that the keytool can also produce development certificates. These certificates are not deemed to be from reliable sources and they will generate warning messages. However, they are helpful for development and in-house testing purposes. For more information on this topic, refer to the documentation on the Java JDK's security tools (http://docs.oracle.com/javase/8/docs/technotes/tools/index.html).

The libraries of JMap Pro extensions must be signed in order to be properly deployed in a JMap Pro application. If you use the extension builder provided with the JMap SDK, the Ant scripts generated handle the signing of your extension. Thus, when you run these scripts to compile and build the library for your extension, it is signed automatically. This signature is done using the development certificate provided with the SDK. If you want to use your own certificate, you must replace the JDK_HOME/tools/extensionbuilder/RES/keystore.jks file by your own keystore, in which you will have imported your certificate.