Skip to main content
In the following steps, we explore how to sign Java JAR files using jarsigner with the Infisical PKCS#11 module. The module implements the PKCS#11 v2.40 standard, allowing standard signing tools to use Infisical signers without code changes.

Prerequisites

Step 1: Create the SunPKCS11 Provider Configuration

Create a configuration file for Java’s SunPKCS11 provider. Save it as infisical-pkcs11.cfg: 
name = Infisical
library = /usr/local/lib/libinfisical-pkcs11.so
On macOS, use the .dylib extension. On Windows, use .dll.
If you have multiple signers and want to target a specific one, add the slot parameter: 
name = Infisical
library = /usr/local/lib/libinfisical-pkcs11.so
slot = 0

Step 2: Sign a JAR

Use jarsigner with the PKCS#11 provider to sign your JAR file: 
jarsigner \
  -keystore NONE \
  -storetype PKCS11 \
  -addprovider SunPKCS11 \
  -providerArg infisical-pkcs11.cfg \
  -sigalg SHA256withRSA \
  myapp.jar \
  "release-signer"
  • -keystore NONE: Required when using PKCS#11 (no file-based keystore).
  • -storetype PKCS11: Tells jarsigner to use the PKCS#11 provider.
  • -sigalg: Must match the signer’s key type. Use SHA256withRSA for RSA keys or SHA256withECDSA for EC keys.
  • The last argument (release-signer) is the signer name (the token label in PKCS#11).
When prompted for a keystore password, you can either press Enter (the module authenticates automatically using the credentials from your environment variables or config file) or provide the PIN in the format clientId:clientSecret.

Verify the Signature

After signing, verify the JAR signature: 
jarsigner -verify -verbose myapp.jar
The output indicates the JAR is signed and verified: 
jar verified.

CI/CD Integration

For automated signing in CI/CD pipelines, use environment variables for credentials and suppress the password prompt: 
export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="${INFISICAL_CLIENT_ID}"
export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="${INFISICAL_CLIENT_SECRET}"
export INFISICAL_PKCS11_CONFIG="/path/to/pkcs11.conf"

jarsigner \
  -keystore NONE \
  -storetype PKCS11 \
  -addprovider SunPKCS11 \
  -providerArg infisical-pkcs11.cfg \
  -sigalg SHA256withRSA \
  -storepass "" \
  myapp.jar \
  "release-signer"
  • Use -storepass "" to avoid the interactive password prompt in non-interactive environments.
  • Ensure your machine identity has an active signing grant before the build starts. You can automate grant requests via the Infisical API.

Troubleshooting

For any issue, start by enabling debug logging in your config file to get detailed output: 
{
  "log_level": "debug",
  "log_file": "/tmp/infisical-pkcs11.log"
}
This typically means the signing request was denied by the server. Check that you have an active signing grant for the signer. You can verify this in the Infisical UI under Code Signing > Approvals > Grants.
Verify that your credentials and project_id are correct, and that the machine identity has been added to the project with the appropriate permissions.