Signing a jar file with trusted certificate for JWS deployment

java certificate java-web-start code-signing
NicoV picture NicoV · Oct 18, 2013 · Viewed 26.2k times · Source

I've developed an open source program, WPCleaner, which is distributed through Java Web Start. Current version is available at http://site4145.mutu.sivit.org/WikiCleaner/WikiCleaner.jnlp

With the recent updates in Java, it becomes more and more difficult to deploy Java applications through Java Web Start when you need the application to have a few permissions (writing in the preferences, accessing other web sites, ...)

My application was self-signed, which was ok before but new updates require users to accept the application every time they run it, not just once and for all if they wish. So, I decided to use a trusted certificate for signing my application.

I got one from Certum (apparently, they're free for open source developers), following this discussion: Code signing certificate for open-source projects?

I've generated a new jar file, signed with this certificate (jar file available at http://site4145.mutu.sivit.org/WikiCleaner/WikipediaCleanerTest.jar), but I still have problems: when I start the application through JWS, Java still displays a warning windows not letting me trust the application once and for all. Editor is still displayed as UNKNOWN, but when I look in the details of the message, it's my new certificate from Centrum that's being used.

Does anyone have an idea on what I'm doing wrong ? I thought that having a certificate from a trusted CA (Centrum seems to be in Java cacerts) would allow users to accept the certificate once and for all.

Thanks

PS: When I run jarsigner -verify, I get the following warning "This jar contains entries whose certificate chain is not validated."

Answer

Eric David picture Eric David · Oct 28, 2013

[Update 2017] Open Source code signing from Certum now uses a cryptographic flash card as a Private Key and must be plugged-in for certificate activation & installation, as well as for code signature. The key costs 125$ (+ shipping fee) and the 1-year certificate alone costs 40$. You can ask for a discount.

Here are the following steps to sign your jar file from scratch.

Instructions

Instructions in English are hard to find and not up to date. The following procedure is based on these 2 documents:

Create, activate and install your certificate:

  1. Go on the "Certum Certification" website in the "OpenSource Code Signing" section and order your certificate.
  2. Once the cryptographic flash card is received (it took 15 days for me), plug it, install the driver and the proCertum CardManager software from the card.
  3. Go to your Certum account and follow the activation process of your newly ordered certificate.

Tip: The CryptoAgent Java Web Start application runs only with a JDK (not JRE) < 9 (so, JDK 7 or 8).

  1. You'll receive a mail asking for some official documents (ID card, rent bill, etc.) and an e-mail verification procedure.
  2. Send the activation required documents and information. You'll receive another mail asking for installing the certificate (the verification was done within 1 hour).
  3. Install the certificate on the cryptographic card following the procedure Storing the Certificate on the card (see the instructions in English, part 4)

Obtain the file "bundle.pem"

This file is mandatory for obtaining a valid certificate chain when signing your application (see the part 7.1.2 in the instructions in Polish).

Basically, it consists of concatenating in a plain text format file 1) your certificate and 2) the Certum Code Signing CA SHA2 public key.

  1. Open proCertum CardManager >> Read Card >> tab Common >> Select your certificate and click "Show details"
  2. Export your certificate: x509 - base-64
  3. Download the Certum Code Signing CA SHA2 in PEM format (from the list of root certificates of Certum).
  4. Create the text file "bundle.pem" by concatenating these 2 certificates (first your certificate and second the Certum certificate).

Sign your jar file with Jarsigner

  1. Create the "provider.cfg" file as explained in the point 7.2 of the instructions in English.
  2. You need the alias of your certificate (and not the owner name) to sign your jar. To obtain it execute the following command:
keytool -list -v -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg "provider.cfg" -storepass "[your_pin]"
  1. Once you got the alias, the provider.cfg and bundle.pem files ready, just sign your jar with the following command:
jarsigner -keystore NONE -certchain "bundle.pem" -tsa "http://time.certum.pl" -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg "provider.cfg" -storepass "[your_pin]" "[your_code].jar" "[your_alias]"

Personally, I use an Ant script to sign my application jar files. See signjar task from ANT project.

Related questions

How to make a machine trust a self-signed Java application

I'm deploying an application using JAWS, and it worked until late 2013 when I got a warning, and then this morning Java completely blocked it. The message in French is: Application bloquée par les paramètres de sécurité Vos …

Read More
Java jnlp application blocked by Security settings

I have an enterprise java application that has plenty of jars that are downloaded to the client's jvm cache by a jnlp file. When I start the application I get the following stack trace on Java Console: Exception in thread "…

Read More
How to import a .cer certificate into a java keystore?

During the development of a Java webservice client I ran into a problem. Authentication for the webservice is using a client certificate, a username and a password. The client certificate I received from the company behind the webservice is in .…

Read More