Seamlessly Integrating Azure KeyVault with Jarsigner for Enhanced Security
Published May 21 2024 12:30 AM 1,896 Views


User Scenario and Benefits

In today's cloud-driven world, securely managing and signing applications is crucial, particularly in the context of Software Supply Chain Security. The integration of the KeyVault JCA provider with Jarsigner helps ensure that your software supply chain remains secure by leveraging Azure KeyVault for key management. 


Consider a development team responsible for a microservices-based application deployed on Azure Spring Apps. They need to sign their Java archive (JAR) files to ensure the integrity and authenticity of their software artifacts before deployment. Integrating Azure KeyVault JCA provider with Jarsigner offers a streamlined approach to securely manage and use cryptographic keys stored in Azure KeyVault, mitigating the risks associated with key management and distribution in the software supply chain.



Before beginning, ensure you have the following:

Step 1: Download and Configure JCA Provider Jar

  • Download the JCA Provider Jar.

  • If you are using Java8, you need to add the JCA provider jar to the class path.

    • Place the jar under the folder ${JAVA_HOME}/jre/lib/ext

  • If you are using Java9 or higher, just place the jar in a folder that jarsigner can access.


Step 2: Prepare Azure Resources

Follow these steps carefully to achieve successful integration:

  • Prepare your parameters

    DATE_STRING=$(date +%H%M%S)
  • Create a resource group
    az group create --name $RESOURCE_GROUP_NAME --location "EastUS"
  • Create a key vault

    az keyvault create --name $KEYVAULT_NAME --resource-group $RESOURCE_GROUP_NAME --location "EastUS"
  • Get the key vault uri

    KEYVAULT_URL=$(az keyvault show --name $KEYVAULT_NAME --query "properties.vaultUri" --resource-group $RESOURCE_GROUP_NAME -o tsv| tr -d '\r\n')
    echo $KEYVAULT_URL
  • Add a certificate to Key Vault

    az keyvault certificate create --vault-name $KEYVAULT_NAME -n $CERT_NAME -p "$(az keyvault certificate get-default-policy)"
  • Create a Service Principal

    SP_JSON=$(az ad sp create-for-rbac --name $SERVICE_PRINCIPAL_NAME)
    CLIENT_ID=$(echo $SP_JSON | jq -r '.appId')
    CLIENT_SECRET=$(echo $SP_JSON | jq -r '.password')
    TENANT=$(echo $SP_JSON | jq -r '.tenant')
    echo "TENANT:"$TENANT
  • Get the objectId

    OBJECTID=$(az ad sp show --id "$CLIENT_ID" --query id -o tsv | tr -d '\r\n')
    echo $OBJECTID
  • Assign Permissions to Service Principal:

    az keyvault set-policy --name $KEYVAULT_NAME --resource-group $RESOURCE_GROUP_NAME --object-id $OBJECTID --secret-permissions get 
    az keyvault set-policy --name $KEYVAULT_NAME --resource-group $RESOURCE_GROUP_NAME --object-id $OBJECTID --certificate-permissions get list


Step 3: Sign with Jarsigner

  • Prepare Your Jar: Have the jar file you wish to sign ready.

  • Execute Jarsigner: Use the Jarsigner tool with the KeyVault JCA provider to sign your jar file. You need to update the parameters with the actuall values.

    Parameter Description Example
    PARAM_YOUR_JAR_FILE_PATH The path to your jar file you wish to sign. /path/to/your/jarfile.jar
    PARAM_JCA_PROVIDER_JAR_PATH The path to the jca provider jar file. /path/to/your/azure-security-keyvault-jca-2.8.1.jar
    • If you are using Java8, try to sign the jar using below command

      jarsigner   -keystore NONE -storetype AzureKeyVault \
                  -signedjar signerjar.jar ${PARAM_YOUR_JAR_FILE_PATH} "${CERT_NAME}" \
                  -verbose  -storepass "" \
                  -providerName AzureKeyVault \
                  -providerClass \
                  -J-Dazure.keyvault.uri=${KEYVAULT_URL} \
                  -J-Dazure.keyvault.tenant-id=${TENANT} \
                  -J-Dazure.keyvault.client-id=${CLIENT_ID} \
    • If you are using Java9 or higher, try to sign the jar using below command

      jarsigner   -keystore NONE -storetype AzureKeyVault \
                  -signedjar signerjar.jar ${PARAM_YOUR_JAR_FILE_PATH} "${CERT_NAME}" \
                  -verbose  -storepass "" \
                  -providerName AzureKeyVault \
                  -providerClass \
                  -J--module-path="${PARAM_JCA_PROVIDER_JAR_PATH}" \
                  -J--add-modules="" \
                  -J-Dazure.keyvault.uri=${KEYVAULT_URL} \
                  -J-Dazure.keyvault.tenant-id=${TENANT} \
                  -J-Dazure.keyvault.client-id=${CLIENT_ID} \
  • Check your output, the output may look like this



Step 4: Verify with Jarsigner

You can verify the signed jar using the following Jarsigner command.

  • jarsigner -verify -verbose -certs signerjar.jar

The output may look like this




By following these steps, you can easily integrate KeyVault JCA provider with Jarsigner. This method ensures a secure and efficient signing process using Azure KeyVault.


Clean up resources

To avoid Azure charges, you should clean up unnecessary resources.

  • az group delete --name $RESOURCE_GROUP_NAME --yes --no-wait
    az ad app delete --id $CLIENT_ID


Next step with Azure Spring Apps

Azure Spring Apps is a fully managed service that helps Spring developers focus on code, not on infrastructure. Deploy any type of Spring app—including web apps, microservices, event-driven, serverless, and batch—without the need for Kubernetes. 
By adopting the practices described in this blog, you can leverage Azure Spring Apps to secure your Java applications. This ensures a robust and secure software supply chain, enhancing the overall reliability and trustworthiness of your deployments.

Newsletter banner_1 1.png


Email Us


Additional Resources

Version history
Last update:
‎May 21 2024 12:28 AM
Updated by: