Automic VaultAutomic Vault

brew

Install jsign with Homebrew, Nix, scoop

Tool for signing Windows executable files, installers and scripts. Version 7.4 via Homebrew; verified 2026-06-11.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install jsign

local Homebrew formula metadata

Linux

Nixverified · 92%
nix profile install nixpkgs#jsign

nixpkgs package indexes · pkgs/by-name/js/jsign/package.nix · source: api.github.com

Windows

Scoopverified · 92%
scoop install main/jsign

Scoop official bucket manifest trees · bucket/jsign.json · source: api.github.com

overview

Package summary

Tool for signing Windows executable files, installers and scripts

Commands and aliases

  • jsign

history

Project history and usage

Jsign is a Java implementation of Microsoft Authenticode signing for Windows executables, installers, packages, scripts, and related file formats. Its niche is cross-platform code signing: Linux and macOS build machines can sign Windows artifacts without depending on Microsoft's `signtool` on Windows.

Project history

The project presents itself as a platform-independent alternative to native Windows signing tools and Mono development tools. The upstream README emphasizes signing executable wrappers and installers produced by NSIS, msitools, install4j, exe4j, and launch4j, then expands into build-system tasks and a Java library.

Jsign's release history shows steady expansion from Authenticode file signing into modern signing operations. Version 4.1 in May 2022 added SSL.com eSigner integration and improved key/password handling; 5.0 in June 2023 integrated AWS KMS; 6.0 in January 2024 added APPX/MSIX and Dynamics 365 package signing; 7.0 in January 2025 added Azure Trusted Signing, Oracle Cloud, GaraSign, HashiCorp Vault Transit, Keyfactor SignServer, NuGet package signing, signature extraction/removal, and verbosity controls.

Adoption history

Jsign gained practical adoption among teams that build Windows deliverables outside Windows, or that need hardware-token and cloud-KMS signing in CI. Vendor documentation from code-signing providers documents Jsign workflows, reflecting its use as an interoperable third-party signing client rather than only an upstream developer utility.

How it is used

Common usage is to run the `jsign` CLI with a keystore, alias, password or external signing service, and one or more files to sign or timestamp. The same functionality is exposed through Maven, Gradle, Ant, GitHub Actions, and Java APIs for build pipelines that need repeatable signing steps.

Why package nerds care

Jsign matters to package people because it turns Authenticode signing into a portable build dependency. That is especially useful for reproducible or cross-platform packaging systems where Windows artifacts are produced on non-Windows infrastructure and private keys live in hardware tokens, PKCS#11 modules, or cloud KMS services.

Timeline

  • 2022: Version 4.1 adds SSL.com eSigner support and improves password and certificate handling.
  • 2023: Version 5.0 integrates AWS KMS and improves hardware-token support.
  • 2024: Version 6.0 adds APPX/MSIX signing and a JCA provider.
  • 2025: Version 7.0 adds multiple cloud signing services, NuGet package signing, and signature-management commands.
  • 2025: Versions 7.1 through 7.4 add SignPath, EFI multiple signatures, CryptoCertum support, and further cloud/token fixes.

Related projects

  • Jsign is related to Microsoft's `signtool`, Mono's Authenticode tooling, `osslsigncode`, Java `jarsigner` workflows through its JCA provider, and installer/package generators such as NSIS, MSI tooling, install4j, exe4j, launch4j, APPX/MSIX, and NuGet.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 1 platform targets.
  • Installs with 1 runtime dependencies.
  • Build metadata lists 1 build dependencies.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
jsigncliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version7.4
manager updated2026-06-11
local dataok
upstreamcurrent
latest detected7.4

https://github.com/ebourg/jsign

  • okNo freshness warnings were generated.

install metadata

Package metadata

Package keybrew:jsign
Version7.4
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/jsign
Homepagehttps://ebourg.github.io/jsign/
Repositoryhttps://github.com/ebourg/jsign
Upstream docshttps://ebourg.github.io/jsign
LicenseApache-2.0
Source archivehttps://github.com/ebourg/jsign/archive/refs/tags/7.4.tar.gz
Last updated2026-06-11T20:40:15-04:00
Pulseupdated
Dependenciesopenjdk@21
Build dependenciesmaven
Bottleavailable (on all)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namejsign
Version Scheme0
Revision0
Head VersionHEAD
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • head
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Nix95%

jsign

nix profile install nixpkgs#jsign
  • normalized package name match
  • Matched by: Jsign
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/js/jsign/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
Scoop95%

main/jsign

scoop install main/jsign
  • normalized package name match
  • Matched by: Jsign
Scoop official bucket manifest trees · api.github.com · Scoop official bucket manifest trees: bucket/jsign.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment