# Install jsign with Homebrew, Nix, scoop

Tool for signing Windows executable files, installers and scripts. Version 7.4 via Homebrew; verified 2026-06-11.

## Install

```sh
sudo av install brew:jsign
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install jsign
```

  Evidence: local Homebrew formula metadata

### Linux

- Nix (92%):

```sh
nix profile install nixpkgs#jsign
```

  Evidence: nixpkgs package indexes: pkgs/by-name/js/jsign/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

### Windows

- Scoop (92%):

```sh
scoop install main/jsign
```

  Evidence: Scoop official bucket manifest trees: bucket/jsign.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1

## Package facts

- **Package key:** brew:jsign
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/jsign>
- **Version:** 7.4
- **Source summary:** Tool for signing Windows executable files, installers and scripts
- **Homepage:** <https://ebourg.github.io/jsign/>
- **Repository:** <https://github.com/ebourg/jsign>
- **Upstream docs:** <https://ebourg.github.io/jsign>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/ebourg/jsign/archive/refs/tags/7.4.tar.gz>
- **Last updated:** 2026-06-11T20:40:15-04:00
- **Generated:** 2026-07-08T18:08:21+00:00

## Executables

- jsign (cli)
- jsign (alias)

## Dependencies

- openjdk@21

## Build dependencies

- maven

## Install behavior

- Post-install hook: not defined
- Bottle: available on all

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 7.4
- Package-manager updated: 2026-06-11
- Local data: ok
- Upstream repository: https://github.com/ebourg/jsign
- Upstream latest detected: 7.4 (current)
## Project history and usage

Jsign is a Java implementation of Microsoft Authenticode signing for Windows executables, installers, packages, scripts, and related file formats. Its niche is cross-platform code signing: Linux and macOS build machines can sign Windows artifacts without depending on Microsoft's `signtool` on Windows.

### Project history

The project presents itself as a platform-independent alternative to native Windows signing tools and Mono development tools. The upstream README emphasizes signing executable wrappers and installers produced by NSIS, msitools, install4j, exe4j, and launch4j, then expands into build-system tasks and a Java library.

Jsign's release history shows steady expansion from Authenticode file signing into modern signing operations. Version 4.1 in May 2022 added SSL.com eSigner integration and improved key/password handling; 5.0 in June 2023 integrated AWS KMS; 6.0 in January 2024 added APPX/MSIX and Dynamics 365 package signing; 7.0 in January 2025 added Azure Trusted Signing, Oracle Cloud, GaraSign, HashiCorp Vault Transit, Keyfactor SignServer, NuGet package signing, signature extraction/removal, and verbosity controls.

### Adoption history

Jsign gained practical adoption among teams that build Windows deliverables outside Windows, or that need hardware-token and cloud-KMS signing in CI. Vendor documentation from code-signing providers documents Jsign workflows, reflecting its use as an interoperable third-party signing client rather than only an upstream developer utility.

### How it is used

Common usage is to run the `jsign` CLI with a keystore, alias, password or external signing service, and one or more files to sign or timestamp. The same functionality is exposed through Maven, Gradle, Ant, GitHub Actions, and Java APIs for build pipelines that need repeatable signing steps.

### Why package nerds care

Jsign matters to package people because it turns Authenticode signing into a portable build dependency. That is especially useful for reproducible or cross-platform packaging systems where Windows artifacts are produced on non-Windows infrastructure and private keys live in hardware tokens, PKCS#11 modules, or cloud KMS services.

### Timeline

- 2022: Version 4.1 adds SSL.com eSigner support and improves password and certificate handling.
- 2023: Version 5.0 integrates AWS KMS and improves hardware-token support.
- 2024: Version 6.0 adds APPX/MSIX signing and a JCA provider.
- 2025: Version 7.0 adds multiple cloud signing services, NuGet package signing, and signature-management commands.
- 2025: Versions 7.1 through 7.4 add SignPath, EFI multiple signatures, CryptoCertum support, and further cloud/token fixes.

### Related projects

- Jsign is related to Microsoft's `signtool`, Mono's Authenticode tooling, `osslsigncode`, Java `jarsigner` workflows through its JCA provider, and installer/package generators such as NSIS, MSI tooling, install4j, exe4j, launch4j, APPX/MSIX, and NuGet.

### Sources

- <https://docs.digicert.com/en/software-trust-manager/client-tools/signing-tools/third-party-signing-tool-integrations/jsign.html>
- <https://ebourg.github.io/jsign>
- <https://github.com/ebourg/jsign>
- <https://github.com/ebourg/jsign/blob/master/README.md>
- <https://github.com/ebourg/jsign/releases>


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** jsign
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Nix - jsign: normalized package name match | nixpkgs package indexes: pkgs/by-name/js/jsign/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Scoop - main/jsign: normalized package name match | Scoop official bucket manifest trees: bucket/jsign.json from https://api.github.com/repos/ScoopInstaller/Main/git/trees/master?recursive=1


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [openjdk@21](https://www.automicvault.com/pkg/brew/openjdk-21/) - Runtime dependency declared by Homebrew.
- [maven](https://www.automicvault.com/pkg/brew/maven/) - Build dependency declared by Homebrew.
- [osslsigncode](https://www.automicvault.com/pkg/brew/osslsigncode/) - Shares av.db curated category or tags: authenticode, cli, code-signing, security, windows.
- [zsign](https://www.automicvault.com/pkg/brew/zsign/) - Shares av.db curated category or tags: cli, code-signing, security.
- [aide](https://www.automicvault.com/pkg/brew/aide/) - Shares av.db curated category or tags: cli, security.
- [aircrack-ng](https://www.automicvault.com/pkg/brew/aircrack-ng/) - Shares av.db curated category or tags: cli, security.
- [amass](https://www.automicvault.com/pkg/brew/amass/) - Shares av.db curated category or tags: cli, security.
- [anubis](https://www.automicvault.com/pkg/brew/anubis/) - Shares av.db curated category or tags: cli, security.
- [authoscope](https://www.automicvault.com/pkg/brew/authoscope/) - Shares av.db curated category or tags: cli, security.
- [azurehound](https://www.automicvault.com/pkg/brew/azurehound/) - Shares av.db curated category or tags: cli, security.
- [ghidra](https://www.automicvault.com/pkg/brew/ghidra/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, openjdk, openjdk-21, security.

## Combined YAML source

View the package source record on GitHub. [combined/jsign.yml](https://github.com/automic-vault/db/blob/main/combined/jsign.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
