What is a Code-Signing Cert?

Code signing allows end-users to authenticate you, the certificate holder who has written some code, for example, java code in a .jar file.

A code signing cert has special attributes to allow it to be accepted by applications from Microsoft, Sun, Mozilla, etc as a code signing certificate. But it will only work if the CAcert root cert is installed and trusted by the end-user *and* if the end-user agrees to execute the code.

Note that there is no attempt to determine if you (the programmer) are competent at writing secure code. So, the joke goes that at least the end user will know your name just before they let you erase all their hard disk content ;)

What do I need to get a code-signing cert?

For code signing you need to have at least 100 points, and CAcert has to have a (scanned) copy of your photo ID. Then you have to send an email to support #at# cacert.org to ask to activate Code-Signing for your account.

Include the scanned image, even if you already filed such images via the TTP process.

How long will it take to get the Cert?

Be patient. One user sent in a letter on 25 Apr 2005, and a reminder 29 May 2005. A response came 19 July 2005.

How can I use my Code-signing Cert?

The code signing privilege can be added to new email certificates you obtain from the CAcert website. Once you are approved, you will see, when you go the CAcert website, and log in, that when you choose to obtain a new personal certificate, that you will have the option to include the code-signing privilege.

Linux

Signing Firefox XPI Files

To use the CAcert certificate to sign the XPI, you:

  1. After installing the code-signing cert in your browser, and after you've created and
    • installed the NSS utility binaries as outlined in Pete's instructions above, you must find all the "key3.db" files in your home directory:
      • find ~ -name key3.db

  2. Then, for each directory that contains a key3.db file, you list out the
    • certs contained there, and find your new code-signing cert (It will be marked with an "*" in the first column, using the command:
      • signtool -L -d <dir containing key3.db file>

  3. Having found the correct directory, and the entry might look so:
    • * Joe Normal's Root CA ID

  4. Following the XPI signing instructions above, explode the unsigned XPI file into a dir,
    • and issue the command:
      • signtool -d <the key3.db dir> -k "Joe Normal's Root CA ID" -p <the-magic-password> <xploded-XPI-dir>

  5. If all goes well, you then continue following the directions, and zip up the signed XPI file, and
    • you are done!