What is a Code-Signing Cert?

TableOfContents

What do I need to get a codesigning cert?

For the code signing ability, you will need to have at least 100 trust points, and CAcert has to check a (scanned) copy of your photo ID. Then you have to send an email to support #at# cacert.org to request Code-Signing ability to be activated for your account.

Include the scanned id, even if you've already sent id copies via the TTP process.

How long will it take to get the Cert?

Currently a couple of days.

basic purpose of Codesigning

Code signing allows end-users to authenticate You, the certificate holder who has written some code, for example, java code in a pasta.jar file.

the Java World

In the Java World, the Java Virtual Machine can control all the user's machine. Yes, it can be a security issue. So, any code you can download on the internet has a limited set of abilities on your computer. Then, if you intend to use more powerful functions on the user's computer, you will have to sign the code you provide. And hope the user to trust you as a last resort !

Pay Attention

M$ too

A code signing cert has special attributes FootNote(or no special attributes at all) to allow it to be accepted by applications from Microsoft, Sun, Mozilla, etc. as a code signing certificate.

see Authenticode part below

Ok fine but...

But it will only work if the CAcert root cert is installed and trusted by the end-user and if the end-user agrees to execute the code.

joke :)

Note : there is no attempt to determine if you are competent at writing secure code. So, the joke is that, at least, the end-user will know your name just before he/she let you erase all their hard disk content ;-)

examples

Simple examples :

How can I use my Code-signing Cert?

The code signing privilege can be added to the new email certificates you will obtain from the CAcert website.

Once you are approved, the next time you'll request an email certificate, you will find an option to include the code-signing priviledge.

see [http://www.dallaway.com/acad/webstart/ Richard Dallaway web start & cacert, freemail thawte code signing]

keytool -list -storetype pkcs12 -keystore keystore.p12

jarsigner -storetype pkcs12 -keystore keystore.p12 pasta.jar "guillaume frederic romagny's root ca id #2"

jarsigner -verbose -verify -certs pasta.jar

Microsoft : can I use my codesigning certificate with Authenticode?

Yes you can! In order to do so you must break down the PKCS#12 file into the intermediate private key and PKCS#7 files tha it contains in order to use it with applications supporting Authenticode. Since I have yet to see one that supports the PKCS#12 format yet I have contributed instructions in doing so. see the ["Authenticode"] wiki page for instructions.

Authenticode prefers timestamping to avoid redeployment of applications when certificate expires. https://digitalid.verisign.com/developer/help/mscs_faq.htm

Verisign timestamping service URL

http://timestamp.verisign.com/scripts/timstamp.dll

More info on TimeStamping

Converting keystores

Java 1.4 can read pkcs12 format but cannot write this format. The jks Java key Store is pretty unconvenient (pkcs12 too btw). You may want to convert your keystore from jks to pkcs12. Especially when generating a Thawte Freemail code signing certificate.

see Keytool IUI based on Bouncy Castle Crypto API

Steps needed for java developpers to test a signed applet in a browser

You need to add the CAcert root certificate (and maybe the Class 3 sub-root cert) in the JVM CA certificate store. Under Linux, you'll find the command "ControlPanel" in the JRE "bin" folder (javacpl.exe under MS Windows).

Linux

Signing Firefox XPI Files

To use the CAcert certificate to sign the XPI, you:

  1. After installing the code-signing cert in your browser, and after you've created and
    • installed the NSS utility binaries as outlined in Pete's instructions above, you must find all the "key3.db" files in your home directory:
      • find ~ -name key3.db

  2. Then, for each directory that contains a key3.db file, you list out the
    • certs contained there, and find your new code-signing cert (It will be marked with an "*" in the first column, using the command:
      • signtool -L -d <dir containing key3.db file>

  3. Having found the correct directory, and the entry might look so:
    • * Joe Normal's Root CA ID

  4. Following the XPI signing instructions above, explode the unsigned XPI file into a dir,
    • and issue the command:
      • signtool -d <the key3.db dir> -k "Joe Normal's Root CA ID" -p <the-magic-password> <xploded-XPI-dir>

  5. If all goes well, you then continue following the directions, and zip up the signed XPI file, and
    • you are done!