02 February 2013

Code signing jar and exe files

It is possible to buy a single code signing certificate that can be used to sign both Java jar files and Windows executable exe files.

A cheap source for a certificate is Tucows with one year currently costing US$75. Tucows are a reseller for Comodo, but the certificates are more expensive from Comodo direct.

Along the way, I'm going to create P12, 2 x PFX, PEM, PVK, CERT and SPC files. You'll need one of the PFX files to sign JARs and the SPC/PVK files to sign EXEs.

Getting the certificates

Working in Windows, I bought the certificate in Firefox. Within a couple of days I was phoned by Comodo to confirm my identity and the certificate issued. I collected the certificate in the same browser, ie it was installed in Firefox.

Using these instructions, I saved the certificate from Firefox into a .P12 file.

The next task is to import the certificate into Windows Internet Explorer. In Windows Explorer, double-click on the P12 file to start the Certificate Import Wizard. Choose your .p12 file. Tick (a) Enable strong private key encryption (b) Mark this key as exportable and (c) Include all extended properties. Click through until you can set the security level to High with a password of your choice.

The certificate should now be installed in Internet Explorer. Find it in Tools, Internet Options, Content, Certificates. Follow these instructions to create a PFX file suitable for signing JAR files. As per the instructions, tick the "Include all certificates" option. I saved the eventual file with a name like mycert.jar.pfx

To get the SPC/PVK files to sign EXEs, you need to run the Internet Explorer certificate export wizard again. This time do not tick "Include all certificates". I saved the eventual file with a name like mycert.exe.pfx

Now continue with these instructions to create the PVK and SPC files. You will need to install openssl if you don't have it already. I ran these from the openssl bin directory:

openssl pkcs12 -in \certs\mycert.exe.pfx -nocerts -nodes -out \certs\mycert.pem
openssl rsa -in \certs\mycert.pem -outform PVK -pvk-strong -out \certs\mycert.pvk
openssl pkcs12 -in \certs\mycert.exe.pfx -nokeys -out \certs\mycert.cert
openssl crl2pkcs7 -nocrl -certfile \certs\mycert.cert -outform DER -out \certs\mycert.spc

I ignored the warning "WARNING: can't open config file: /usr/local/ssl/openssl.cnf"

Backup all the created files carefully.

Signing JAR files

Follow these instructions to find the alias you have been given - before the first comma which is followed by a date. This can either be a friendly name or a {GUID}. Make a note of the alias.

keytool -list -storetype pkcs12 -keystore \certs\mycert.jar.pfx

You can then sign JAR files like this:

jarsigner -storetype pkcs12 -keystore \certs\mycert.jar.pfx myfile.jar "myalias"
jarsigner.exe -verify -certs myfile.jar

Signing EXE files

Sign EXE files like this, replacing the Description and the website with something appropriate:

signcode -spc \certs\mycert.spc -v \certs\mycert.pvk -n "Description" -i "http://www.example.com/" -t http://timestamp.verisign.com/scripts/timstamp.dll myfile.exe