Skip to main content
This guide assumes your Product Admin has already created a Signer and assigned you to it. If the signer has an approval policy, you’ll also need active access before signing.
Sign Java JAR files using jarsigner with the Infisical PKCS#11 module. The module implements the PKCS#11 v2.40 standard, allowing standard signing tools to use Infisical signers without code changes.

Prerequisites

Step 1: Set Up Authentication

Configure the Infisical PKCS#11 module with your machine identity credentials. Without this, the signing commands below fail with an auth error. Create /etc/infisical/pkcs11.conf (or set INFISICAL_PKCS11_CONFIG to point elsewhere): 
auth:
  method: universal-auth
  universal_auth:
    client_id: "<machine-identity-client-id>"
    client_secret: "<machine-identity-client-secret>"

signer:
  id: "<signer-id>"
You can also pass the credentials via environment variables: 
export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="<machine-identity-client-id>"
export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="<machine-identity-client-secret>"
Environment variables override values from the config file.
For the full set of options, see the PKCS#11 module configuration reference.

Step 2: Create the SunPKCS11 Provider Configuration

Create a configuration file for Java’s SunPKCS11 provider. Save it as infisical-pkcs11.cfg: 
name = Infisical
library = /usr/local/lib/libinfisical-pkcs11.so
On macOS, use the .dylib extension. On Windows, use .dll.
If you have multiple signers and want to target a specific one, add the slot parameter: 
name = Infisical
library = /usr/local/lib/libinfisical-pkcs11.so
slot = 0

Step 3: Sign a JAR

Use jarsigner with the PKCS#11 provider to sign your JAR file: 
jarsigner \
  -keystore NONE \
  -storetype PKCS11 \
  -addprovider SunPKCS11 \
  -providerArg infisical-pkcs11.cfg \
  -sigalg SHA256withRSA \
  myapp.jar \
  "release-signer"
  • -keystore NONE: Required when using PKCS#11 (no file-based keystore).
  • -storetype PKCS11: Tells jarsigner to use the PKCS#11 provider.
  • -sigalg: Must match the signer’s key type. Use SHA256withRSA for RSA keys or SHA256withECDSA for EC keys.
  • The last argument (release-signer) is the signer name (the token label in PKCS#11).
When prompted for a keystore password, you can either press Enter (the module authenticates automatically using the credentials from your environment variables or config file) or provide the PIN in the format clientId:clientSecret.

Verify the Signature

After signing, verify the JAR signature: 
jarsigner -verify -verbose myapp.jar
The output indicates the JAR is signed and verified: 
jar verified.

CI/CD Integration

For automated signing in CI/CD pipelines, use environment variables for credentials and suppress the password prompt: 
export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="${INFISICAL_CLIENT_ID}"
export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="${INFISICAL_CLIENT_SECRET}"
export INFISICAL_PKCS11_CONFIG="/path/to/pkcs11.conf"

jarsigner \
  -keystore NONE \
  -storetype PKCS11 \
  -addprovider SunPKCS11 \
  -providerArg infisical-pkcs11.cfg \
  -sigalg SHA256withRSA \
  -storepass "" \
  myapp.jar \
  "release-signer"
  • Use -storepass "" to avoid the interactive password prompt in non-interactive environments.
  • Ensure your machine identity has active signing access before the build starts. You can automate access requests via the Infisical API.

Troubleshooting

For any issue, start by enabling debug logging in your config file to get detailed output: 
{
  "log_level": "debug",
  "log_file": "/tmp/infisical-pkcs11.log"
}
This typically means the signing request was denied by the server. Check that you have active signing access for the signer. You can verify this in the Infisical UI by opening the signer’s Approvals tab and looking at the Requests panel.
Verify that your credentials are correct and that the machine identity has been added to the Signer.

What’s Next?

Sign Android APKs

Sign Android applications with apksigner

Sign with OpenSSL

Use OpenSSL with the PKCS#11 module