What is a Code-Signing Cert?
Code signing allows end-users to authenticate You, the certificate holder who has written some code, for example, java code in a pasta.jar file.
In the Java World, the Java Virtual Machine can control all the user's machine. Yes, it can be a security issue. So, any code you can download on the internet has a limited set of abilities on your computer. Then, if you intend to use more powerful functions on the user's computer, you will have to sign the code you provide. And hope the user to trust you as a last resort !
A code signing cert has special attributes FootNote(or no special attributes at all) to allow it to be accepted by applications from Microsoft, Sun, Mozilla, etc. as a code signing certificate.
But it will only work if the CAcert root cert is installed and trusted by the end-user and if the end-user agrees to execute the code.
Note : there is no attempt to determine if you (the programmer) are competent at writing secure code. So, the joke is that at least the end-user will know your name just before they let you erase all their hard disk content
Simple examples :
CAcert codesigning : see [http://pasta.grhq.net here] (it does not erase your disk, it helps avoid your pasta being overcooked)
Thawte freemail codesigning : see [http://www.grhq.net/pasta_thawte here]
Pay Attention
the CAcert root cert has to be loaded in the JavaVM not only in the web browser
What do I need to get a code-signing cert?
For the code signing ability, you will need to have at least 100 trust points, and CAcert has to check a (scanned) copy of your photo ID. Then you have to send an email to support #at# cacert.org to request Code-Signing ability to be activated for your account.
Include the scanned id, even if you've already sent id copies via the TTP process.
How long will it take to get the Cert?
Currently a couple of days.
How can I use my Code-signing Cert?
The code signing privilege can be added to the new email certificates you will obtain from the CAcert website.
Once you are approved, the next time you'll request an email certificate, you will find an option to include the code-signing priviledge.
see [http://www.dallaway.com/acad/webstart/ Richard Dallaway web start & cacert, freemail thawte code signing]
- list the certificates in the keystore (replace jks for storetype and .ks as keystore)
keytool -list -storetype pkcs12 -keystore keystore.p12
- sign the jar file
jarsigner -storetype pkcs12 -keystore keystore.p12 pasta.jar "guillaume frederic romagny's root ca id #2"
- verify the signed jar
jarsigner -verbose -verify -certs pasta.jar
Converting keystores
Java 1.4 can read pkcs12 format but cannot write this format. The jks Java key Store is pretty unconvenient (pkcs12 too btw). You may want to convert your keystore from jks to pkcs12. Especially when generating a Thawte Freemail code signing certificate.
see Keytool IUI based on Bouncy Castle Crypto API
{en} [http://yellowcat1.free.fr/index_ktl.html Keytool IUI]
{fr} [http://ragingcat.developpez.com/java/outils/keytool/ui/ KeyTool IUI]
[http://www.bouncycastle.org/ the Legion of the Bouncy Castle]
[http://ejbca.sf.net EJBCA use Bouncy Castle you can find code & tools]
Steps needed for java developpers to test a signed applet in a browser
You need to add the CAcert root certificate (and maybe the Class 3 sub-root cert) in the JVM CA certificate store. Under Linux, you'll find the command "ControlPanel" in the JRE "bin" folder (javacpl.exe under MS Windows).
Linux
[http://sourceforge.net/projects/disec] (uses GPG keys)
[http://blogs.sun.com/roller/page/darren/Weblog/signed_solaris_10_binaries]
[http://www.dia.unisa.it/staff/luicat/home/publications/scn02.pdf]
Signing Firefox XPI Files
[http://forums.tjworld.net/viewtopic.php?t=130] Comprehensive instructions on obtaining, installing, and using a code-signing certificate on Windows for Mozilla XPI extension packages.
[http://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html] Basic Instructions, which uses a self-signed certificate.
To use the CAcert certificate to sign the XPI, you:
- After installing the code-signing cert in your browser, and after you've created and
- installed the NSS utility binaries as outlined in Pete's instructions above, you must find all the "key3.db" files in your home directory:
find ~ -name key3.db
- installed the NSS utility binaries as outlined in Pete's instructions above, you must find all the "key3.db" files in your home directory:
- Then, for each directory that contains a key3.db file, you list out the
- certs contained there, and find your new code-signing cert (It will be marked with an "*" in the first column, using the command:
signtool -L -d <dir containing key3.db file>
- certs contained there, and find your new code-signing cert (It will be marked with an "*" in the first column, using the command:
- Having found the correct directory, and the entry might look so:
* Joe Normal's Root CA ID
- Following the XPI signing instructions above, explode the unsigned XPI file into a dir,
- and issue the command:
signtool -d <the key3.db dir> -k "Joe Normal's Root CA ID" -p <the-magic-password> <xploded-XPI-dir>
- and issue the command:
- If all goes well, you then continue following the directions, and zip up the signed XPI file, and
- you are done!