Sign a launch4j executable in ant with sign4j and jsign

PhoneixS picture PhoneixS · Mar 11, 2014 · Viewed 7.4k times · Source

I have an application in a Jar and I wrap it in a exe with launch4j so is easy for the user to launch it (in windows). I have a certificate, so I sign the jar (I don't know if this is really necessary because it will be wrapped inside the exe) and I want to sign the exe but it corrupt the executable.

I use ant to make all the process and look like:

<signjar jar="${jar.location}" alias="${key.alias}" storetype="pkcs12" keystore="${key.file}" storepass="${key.password}" tsaurl="https://timestamp.geotrust.com/tsa" />

<launch4j configFile="launch4j_configuration.xml" fileversion="${version}.0" txtfileversion="${build}" productversion="${version}.0" txtproductversion="${build}" outfile="${exe.location}" jar="${jar.location}" />

<signexe file="${exe.location}" alias="${key.alias}" storetype="pkcs12" keystore="${key.file}" storepass="${key.password}" tsaurl="http://timestamp.verisign.com/scripts/timstamp.dll" />

I have found that is because when you sign the exe it broke the jar structure or something like this. But what I have also seen is that inside the launch4j folder is a sign4j folder that contains what I think is a program that solve this problem.

My problem now is how is used this program? And how can I integrate it in the ant script to sign the exe?

The README.txt file in the folder doesn't helped to me. Sorry if this so obvious but isn't clear for me. Also note that I'm using Ubuntu.

Answer

PhoneixS picture PhoneixS · Mar 12, 2014

What I have found is that you must execute the sign4j command with the signing command as its argument. Something like:

sign4j jsign -s keyfile.p12 -a "(codesign_1091_es_sw_kpsc)" --storepass AVERYGOODPASSWORD --storetype pkcs12 -n MyProgram -u https://www.example.com MyProgram.exe

So, to integrate it into ant, you need to create an exec task. For example, something like:

<exec executable="sign4j">
  <arg line="java -jar jsign-1.2.jar -s ${key.file} -a ${key.alias} --storepass ${key.password} --storetype pkcs12 ${exe.location}"/>
</exec>

It works also with other signing tools like for example authenticode from Microsoft, too ...

<exec executable="launch4j/sign4j/sign4j.exe">
    <arg line="signtool.exe sign /fd SHA256 /f mycert.pfx /p foobar /t http://timestamp.verisign.com/scripts/timstamp.dll dist\myapp.exe"/>
</exec>