What is a Code-Signing Cert?
Code signing allows end-users to authenticate You, the certificate holder who has written some code, for example, java code in a pasta.jar file.
In the Java World, the Java Virtual Machine can control all the user's machine. So, the code you can download on the internet has a limited set of abilities on your computer. If you intend to use special priviledges (controling more functions on the computer) you have to sign the code you provide. And hope the user to trust you !
A code signing cert has special attributes (or no special attributes at all) to allow it to be accepted by applications from Microsoft, Sun, Mozilla, etc as a code signing certificate. But it will only work if the CAcert root cert is installed and trusted by the end-user *and* if the end-user agrees to execute the code.
Note that there is no attempt to determine if you (the programmer) are competent at writing secure code. So, the joke is that at least the end user will know your name just before they let you erase all their hard disk content 
Examples :
CAcert codesigning : see [http://pasta.grhq.net here] (it does not erase your disk, it helps avoid your pasta being overcooked)
Thawte freemail codesigning : see [http://www.grhq.net/pasta_thawte here]
Pay Attention
![/!\](/moin_static199/cacert/img/alert.png "/!\")
the CAcert root cert has to be loaded in the JavaVM not only in the web browser
What do I need to get a code-signing cert?
For code signing you need to have at least 100 points, and CAcert has to check a (scanned) copy of your photo ID. Then you have to send an email to support #at# cacert.org to request Code-Signing ability for your account.
Include the scanned id, even if you've already sent id copies via the TTP process.
How long will it take to get the Cert?
Currently a couple of days.
How can I use my Code-signing Cert?
The code signing privilege can be added to the new email certificates you'll obtain from the CAcert website.
Once you are approved, the next time you'll request an email certificate, you will find an option to include the code-signing priviledge.
see [http://www.dallaway.com/acad/webstart/ Richard Dallaway web start & cacert, freemail thawte code signing]
- list the certificates in the keystore (replace jks for storetype and .ks as keystore)
keytool -list -storetype pkcs12 -keystore keystore.p12
- sign the jar file
jarsigner -storetype pkcs12 -keystore keystore.p12 pasta.jar "guillaume frederic romagny's root ca id #2"
- verify the signed jar
jarsigner -verbose -verify -certs pasta.jar
Converting keystores
Java 1.4 can read pkcs12 format but cannot write this format. The jks Java key Store is pretty unconvenient (pkcs12 too btw). You may want to convert your keystore from jks to pkcs12. Especially when generating a Thawte Freemail code signing certificate.
see Keytool IUI based on Bouncy Castle Crypto API
{en} [http://yellowcat1.free.fr/index_ktl.html Keytool IUI]
{fr} [http://ragingcat.developpez.com/java/outils/keytool/ui/ KeyTool IUI]
[http://www.bouncycastle.org/ the Legion of the Bouncy Castle]
[http://ejbca.sf.net EJBCA use Bouncy Castle you can find code & tools]
Steps needed for java developpers to test a signed applet in a browser
You need to add the CAcert root certificate (and maybe the Class 3 sub-root cert) in the JVM CA certificate store. Under Linux, you'll find the command "ControlPanel" in the JRE "bin" folder (javacpl.exe under MS Windows).
Linux
[http://sourceforge.net/projects/disec] (uses GPG keys)
[http://blogs.sun.com/roller/page/darren/Weblog/signed_solaris_10_binaries]
[http://www.dia.unisa.it/staff/luicat/home/publications/scn02.pdf]
Signing Firefox XPI Files
[http://forums.tjworld.net/viewtopic.php?t=130] Comprehensive instructions on obtaining, installing, and using a code-signing certificate on Windows for Mozilla XPI extension packages.
[http://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html] Basic Instructions, which uses a self-signed certificate.
To use the CAcert certificate to sign the XPI, you:
- After installing the code-signing cert in your browser, and after you've created and
- installed the NSS utility binaries as outlined in Pete's instructions above, you must find all the "key3.db" files in your home directory:
find ~ -name key3.db
- installed the NSS utility binaries as outlined in Pete's instructions above, you must find all the "key3.db" files in your home directory:
- Then, for each directory that contains a key3.db file, you list out the
- certs contained there, and find your new code-signing cert (It will be marked with an "*" in the first column, using the command:
signtool -L -d <dir containing key3.db file>
- certs contained there, and find your new code-signing cert (It will be marked with an "*" in the first column, using the command:
- Having found the correct directory, and the entry might look so:
* Joe Normal's Root CA ID
- Following the XPI signing instructions above, explode the unsigned XPI file into a dir,
- and issue the command:
signtool -d <the key3.db dir> -k "Joe Normal's Root CA ID" -p <the-magic-password> <xploded-XPI-dir>
- and issue the command:
- If all goes well, you then continue following the directions, and zip up the signed XPI file, and
- you are done!