[[CodesigningCert/CZ|česky]] | '''english''' == Code Signing Certificates == <> == What do I need to get a code signing certificate from CAcert? == === Individual CAcert users === For the code signing ability, you need to be an Assurer [[http://www.cacert.org/policy/CertificationPracticeStatement.php#p4.2.6|CPS 4.2.6]]. This means at least 100 assurance points and having passed the [[AssurerChallenge]]. Once that is done, you can send an email to support #at# cacert.org to request Code-Signing ability to be activated for your account. . For more on Assurance Points, please see [[FAQ/AssuranceIntroduction]]. . For more on the [[AssurerChallenge]], see the [[AssuranceHandbook2]]. . How long will it take to get the certificate at CAcert ? Currently a couple of days. === Organisations and Codesigning === As of March 2008, Organisations registered with CAcert can create codesigning certificates with the name of the Organisation included in the certificate. Once the Organisation is registered, you get the ability to do codesigning. Please see '''[[Brain/EducationTraining/OrganisationAssurance/Manual| Organization Assurance Manual]]'''. For additional questions mail to : support#at#cacert.org === Obtaining a Code Signing Certificate === Prerequisites: Code-Signing ability must be activated for your account. 1. Log into your CACert cccount 1. Go to Client Certificate and click on [New] 1. Check [Code Signing] and click on [Next] 1. Request your certificate 1. Right click on the install certificate link, choose [save as] and store your client certificate into a file == Basic Purposes of Code Signing == Code signing allows end users to authenticate '''You''', the certificate holder who has written some code, for example, java code in a ''pasta.jar'' file. === Beware : Code Signing ≠ Security === When done properly, code signing proves the authenticity and integrity of code. However, code signing provides ''no'' guarantee of the code’s safety or reliability. So, the joke is that, at least, the end-user will know your name just before he/she let you erase all their hard disk content. ;-) See [[http://www.schneier.com/blog/archives/2005/09/code_signing.html|Schneier on Security]] for a discussion. == Java (Example) == In the ''Java'' World, the Java Virtual Machine can control all the user's machine. Yes, it can be a security issue. So, any code you can download on the internet has a limited set of abilities on your computer. Then, if you intend to use more powerful functions on the user's computer, you will have to sign the code you provide. And hope the user to trust you as a last resort ! Please see JavaCodeSigningTest * /!\ the CAcert root cert has to be loaded in the JavaVM not only in the web browser * Here is a copy of the modified JRE keystore with CAcert root + CAcert class 3 root certs [[attachment:cacerts]] MD5 hash : e7a2e4682d2578e4f8715909b62a8a36 "cacerts" file can be found at java/jre/lib/security/ please make a copy of the original file first Starting with Java 5, jarsigner tool supports TimeStamping (on linux ubuntu try '''man jarsigner''' for help). So, you don't need to redeploy the application when the codesigning certificate expires. But on the other side, you need to include the certificate of the timestamp certification authority if not included in the jvm. please see http://mindprod.com/jgloss/signedapplets.html === Examples of signed application === Simple examples : * CAcert codesigning (it needs an updated "cacerts" file) : see [[http://guillaume.romagny.free.fr/pasta|tiebogos' pasta]] (it does not erase your disk, it helps avoid your pasta being overcooked) * Thawte freemail codesigning : see [[http://guillaume.romagny.free.fr/pasta_thawte|here]] any comment to guillaume (at) cacert.org please ! == Platforms that Accept CAcert Code Signing Certificates == A code signing certificate has special attributes <> to allow it to be accepted by applications from Microsoft, Sun, Mozilla, etc. as a code signing certificate. However, these certificates will only work if the CAcert root cert is installed and trusted by the end-user '''and''' if the end-user agrees to execute the code. == How can I use my code signing certificate? (java example) == The code signing privilege can be added to the new email certificates you will obtain from the CAcert website. Once you are approved, the next time you'll request an email certificate, you will find an option to include the code signing privilege. see [[http://www.dallaway.com/acad/webstart/|Richard Dallaway web start & cacert, freemail thawte code signing]] or better here http://www.crionics.com/products/opensource/faq/signFree.htm ( /!\ note : as of November 2009, thawte freemail program including free java codesigning has been discontinued.) * list the certificates in the keystore (replace jks for storetype and .ks as keystore) {{{ keytool -list -storetype pkcs12 -keystore keystore.p12 }}} * sign the jar file {{{ jarsigner -storetype pkcs12 -keystore keystore.p12 pasta.jar "guillaume frederic romagny's root ca id #2" }}} * sign the jar file with timestamping (make sure to keep the arguments in that order!) {{{ jarsigner -storetype pkcs12 -keystore keystore.p12 -tsa "http://time.certum.pl/" pasta.jar "guillaume romagny's root ca id" }}} * verify the signed jar {{{ jarsigner -verbose -verify -certs pasta.jar }}} == How do I use my code signing certificate with Microsoft Authenticode? == In order to sign code using Microsoft Authenticode, you must break down the PKCS#12 file into the intermediate private key and PKCS#7 files that it contains in order to use it with applications supporting Authenticode. Since I have yet to see one that supports the PKCS#12 format yet I have contributed instructions in doing so. see the [[Authenticode]] wiki page for instructions. Authenticode prefers __'''timestamping to avoid redeployment'''__ of applications when certificate expires. https://digitalid.verisign.com/developer/help/mscs_faq.htm Verisign timestamping service URL {{{ http://timestamp.verisign.com/scripts/timstamp.dll }}} More info on TimeStamping == Converting keystores == Java 1.4 can read pkcs12 format but cannot write this format. The jks Java key Store is pretty unconvenient (pkcs12 too btw). You may want to convert your keystore from jks to pkcs12. Especially when generating a Thawte Freemail code signing certificate. see Keytool IUI based on Bouncy Castle Crypto API * {en} [[http://yellowcat1.free.fr/index_ktl.html|Keytool IUI]] * {fr} [[http://ragingcat.developpez.com/java/outils/keytool/ui/|KeyTool IUI]] * [[http://www.bouncycastle.org/|the Legion of the Bouncy Castle]] * [[http://ejbca.sf.net|EJBCA use Bouncy Castle you can find code & tools]] == Steps needed for Java developers to test a signed applet in a browser == You need to add the CAcert root certificate (and maybe the Class 3 sub-root cert) in the JVM CA certificate store. Under Linux, you'll find the command "ControlPanel" in the JRE "bin" folder (javacpl.exe under MS Windows). == Linux == * http://www.jukie.net/~bart/elfpgp/ (uses GPG keys) * http://www.hick.org/code/skape/elfsign/ * http://sourceforge.net/projects/disec (uses GPG keys) * http://blogs.sun.com/roller/page/darren/Weblog/signed_solaris_10_binaries * http://www.dia.unisa.it/staff/luicat/home/publications/scn02.pdf (broken link) * http://libeccio.dia.unisa.it/wlf/ (broken link) == Signing Mozilla XPI Packages (Firefox, Thunderbird) == You can use CAcert code signing certificates to sign [[http://www.mozilla.org/projects/xpinstall/|Mozilla XPI packages]] for Mozilla applications like Firefox and Thunderbird. --(Mozilla applications require a value in the Organisation field for the UI to report that the item is signed. Only Organisations registered with CAcert can do codesigning with Mozilla plug-ins. Please see OrganisationAssurance.)-- --(Individual CAcert users with codesigning ability can use the instructions below but Mozilla applications will still report the item as '''Unsigned'''. See [[https://bugzilla.mozilla.org/show_bug.cgi?id=372980|bug 372980]].)-- ''Fixed in Firefox 3.5.6 & Thunderbird 3.0.1pre.'' * [[http://www.mozilla.org/projects/security/pki/nss/tools/|NSS Security tools]] * http://forums.tjworld.net/viewtopic.php?t=130 Comprehensive instructions on obtaining, installing, and using a code-signing certificate on '''Windows''' for Mozilla XPI extension packages. * http://developer.mozilla.org/en/docs/Code_snippets:Signing_a_XPI Cache of the previous link as it's no longer available * http://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html Basic cross-platform instructions using a self-signed certificate, by Pete Collins. To use the CAcert certificate to sign the XPI package, you should perform the following steps: 1. Install the code signing certificate in your browser. 1. Extract the NSS utility binaries as outlined in [[http://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html|Pete's instructions]] above. 1. Identify your certificate database, which is usually in your [[http://www.mozilla.org/support/firefox/profile#locate|profile directory]]. One way to identify your profile directory is to find all of the "key3.db" files in your home directory: . {{{ find ~ -name key3.db}}} 1. If you find multiple directories, then for each directory that contains a key3.db file, you should list out the certs contained there to find your new code signing certificate (it may be marked with an "*" in the first column), using the command: . {{{ signtool -L -d }}} 1. Having found the correct directory, the entry may appear as: . {{{ * Joe Normal's Root CA ID}}} 1. Following the XPI signing instructions above, extract the unsigned XPI package into a directory. 1. Run this signtool command (this command works as of [[http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-release-notes.html|NSS 3.11.4]]): . {{{ signtool -d -k "Joe Normal's Root CA ID"-p -X -Z }}} 1. Your signed XPI package will be ready. 1. If you want to verify the signature on your package, use the following two commands: . {{{ signtool -v signtool -w }}} <
> ---- == Inputs & Thoughts == . 20091206-PhilippGuehring / DieterHenning by e-mail . {{{ Activate Code-Signing for Organizations > Nachdem Code-Signing freigeschalten wurde, müsst ihr nun ein neues Zertifikat ausstellen, und beim ausstellen darauf aufpassen, dass ihr Code-Signing für das Zertifikat aktiviert. Ich glaube Code-Signing ist bei Javascript-fähigen Browsern derzeit unter "Erweiterte Optionen" versteckt. > Schöne Grüße, > Philipp Gühring Der Ablauf ist wie folgt. 1.) Ich als Org-Admin muss mir ein persönliches Zertifikat ausstellen lassen *mit* der Code-Signing-Eigenschaft. 2.) Danach kann ich bei Org-Client-Zertifikaten *auch* diese Eigenschaft schalten. Das habe ich getan und ich habe in beiden (neuen) Zertifikaten die notwendigen Informationen. Genauer: 1.) Man muss tatsächlich als Einzel-Person das beantragen. 2.) Dann muss man es wiederum als Einzelperson einmal benutzten für einem Antrag für ein Client-Zertifikat. 3.) Dann hat mal als Org-Admin die Möglichkeit, dass im Dialog einzuschalten. Danke für die Unterstützung und mit freundlichen Grüssen Dieter Hennig }}} ---- . YYYYMMDD-YourName . {{{ Text / Your Statements, thoughts and e-mail snippets, Please }}} ---- <
> '''Category''' or '''Categories'''<
> CategoryAudit <
> CategorySoftware <
> CategoryOrganisationAssurance <
> CategoryAssurance <
>