Code Signing with Jsign
Jsign is a free, open-source, Java-based signing tool. It is the Swiss army knife of code signing: supports USB tokens (PKCS#11), Azure Key Vault, Google Cloud KMS, AWS KMS, and local keystores. Runs on Windows, Linux, and macOS.
Jsign is the only signing tool that supports all major cloud HSM providers in a single tool. Perfect for CI/CD pipelines where you want one tool that works regardless of key store.
What is Jsign?
Jsign is an open-source project (Apache 2.0 license), maintained on GitHub. It is written in Java and requires Java 8 or newer (OpenJDK recommended).
Jsign supports Authenticode signing of Windows files (.exe, .dll, .msi, .msix, .cab, .ps1), Java artifacts (.jar, .war, .ear), and several other formats. It is the most versatile signing tool available.
Supported key stores
USB token (PKCS#11)
SafeNet eToken, YubiKey, Thales Luna. Requires PKCS#11 driver installed locally.
Azure Key Vault
Via Azure SDK. Authentication with service principal or managed identity.
Google Cloud KMS
Via GCP SDK. Authentication with service account.
AWS KMS
Via AWS SDK. Authentication with IAM credentials or instance role.
Local keystore
PKCS#12 (.pfx/.p12), JKS, Windows certificate store.
Installation
Download JAR: Get the latest version from Jsign GitHub Releases ↗ and run directly:
java -jar jsign.jar sign --help
Maven/Gradle: Jsign can also be used as a dependency in your build system for automatic signing as part of your build pipeline.
Requires Java 8 or newer. OpenJDK is recommended. Download from adoptium.net ↗.
Signing examples
USB token (PKCS#11)
jsign --storetype PKCS11 \ --storepass "your-pin" \ --alias "your-cert" \ --tsaurl http://timestamp.digicert.com \ MyApp.exe
Azure Key Vault
jsign --storetype AZUREKEYVAULT \ --storepass "client-secret" \ --keystore "your-vault" \ --alias "cert-name" \ --tsaurl http://timestamp.digicert.com \ MyApp.exe
Google Cloud KMS
jsign --storetype GOOGLECLOUD \ --keystore "projects/my-project/locations/global/keyRings/my-ring" \ --alias "my-key" \ --certfile cert.pem \ --tsaurl http://timestamp.digicert.com \ MyApp.exe
AWS KMS
jsign --storetype AWS \ --keystore "us-east-1" \ --alias "alias/my-key" \ --certfile cert.pem \ --tsaurl http://timestamp.digicert.com \ MyApp.exe
Jsign vs signtool.exe vs AzureSignTool
| Jsign | signtool.exe | AzureSignTool | |
|---|---|---|---|
| Platform | Windows, Linux, macOS | Windows only | Windows, Linux, macOS (.NET) |
| Key stores | USB token, Azure KV, Google KMS, AWS KMS, local | USB token, local keystore | Azure Key Vault only |
| Dependency | Java 8+ | None (part of Windows SDK) | .NET Runtime |
| License | Open source (Apache 2.0) | Microsoft (proprietary) | Open source (MIT) |
| Java artifacts | Yes (.jar, .war, .ear) | No | No |
Supported file types
Related signing tools: SignTool / AzureSignTool | Jsign | Compare all →
Code Signing certificates for Jsign
OV Code Signing
DigiCert CodeSign OV
DigiCert OV Code Signing. Works with Jsign and all key stores.
GlobalSign CodeSign
GlobalSign OV Code Signing. Works with Jsign and all key stores.
EV Code Signing
Frequently asked questions about Jsign Code Signing
Find answers to the most common questions about SSL certificates and FairSSL.
--tsaurl with an RFC 3161 timestamp server (e.g. http://timestamp.digicert.com).Ready to sign with Jsign?
Create a free account and issue your first certificate in under 10 minutes.