Jump to content

[1.7.10] How to sign the jar so it can be verified using certificateFingerprint


Recommended Posts

Hello everyone,


after I found out some sites have started redistrubtiing my mod with out permission and heard of cases of them inserting malicious code I decided I want to start signing my jars. I already managed to sign them and have automated this process with gradle. I also verify the signatur myself but that of course is insecure since this code could be removed aswell.

Then I found the "certificateFingerprint" field in the @Mod annotation and wondered how that works. I tested it out and according to the log my jar is not signed even though it is (checked it by hand).


The log said this:

[21:14:28] [Client thread/ERROR] [brainStoneMod]: The mod BrainStoneMod is expecting signature da39a3ee5e6b4b0d3255bfef95601890afd80709 for source BrainStoneMod-v2.53.229 BETA DEV.jar, however there is no signature matching that description


So how exactly is this supposed to work?


I case anyone is wondering I use the following gradle code to sign them. The result is the same as using the jarsigner tool.


def signJar(archivePath) {
  if (project.hasProperty('keyStoreAlias') && project.hasProperty('keyStore') && project.hasProperty('keyStorePass')) {
      jar:                  archivePath,
      alias:                project.keyStoreAlias,
      keystore:             project.keyStore,
      storepass:            project.keyStorePass,
      preservelastmodified: true
  } else {
    println 'WARNING!!!\tCannot sign jar !'


and I modified the jar and reobf tasks too:


jar {
    doLast {
        if (!gradle.taskGraph.hasTask(reobf)) {

reobf {
    doLast {


The signing is already working.

Also the entire code can be found on GitHub: https://github.com/BrainStone/brainstone

Link to comment
Share on other sites

This topic is now closed to further replies.

  • Create New...

Important Information

By using this site, you agree to our Terms of Use.