Code signing process changed

huber · February 22, 2017, 11:14am

Hi All

We got the news that renewing the code certificate, the process has changed (at least when having a certificate form Global Sign). In short, we do not get mailed a .pfx file anymore, but a physical USB stick containing software to get an USB token (whatever that is). But it does not seem to be possible to create a .pfx file and therefor no keystone file. And this is a prerequisite to use the Code Signer developed by Patrick Talbot and brakes the currently used workflow. The process with the USB token using Java Development Kit (suggested) does not allow for multiple .jar files signing, but only one bey one. At least this is our current knowledge as far as we understand it.

Here are two links to this subject (one in german):
https://magazin.sslmarket.de/inpage/cod … -geregelt/
https://casecurity.org/wp-content/uploa … igning.pdf

As we are afraid that the Servoy applications will stop working after the expiration date of the certificate, we would be very happy to hear about your experience and help on how to solve that problem as we are quite in a hurry (certificate expiring soon).

Thanks and best regards,

patrick · February 22, 2017, 11:38am

I would call global sign and ask them how to create a java keystore from whatever they shipped.

As a side note: you could consider using our bootstrapper (see https://wiki.servoy.com/pages/viewpage. … d=23856169). With that, the whole code signing process should be obsolete.

HEKUCH · February 22, 2017, 4:46pm

Hi Patrick,

I’ve been working with bootstrap.jar for a long time and start my smart-client-application with this tool. So far I have signed my jar files anyway. Is it really not necessary with this procedure? If I change the date on my client after the expiration-date from my certificate I get a certificate error. But this is perhaps not the correct way to check this?

Who can I download the latest version of bootstrap.jar ?

patrick · February 22, 2017, 5:32pm

With bootstrap Java Web Start only needs to validate the bootstrap.jar and that is signed by Servoy. All the other libraries are then loaded by bootstrap itself (which is the whole point about the bootstrapper). There is no need to download a latest version, as far as I know it ships with Servoy these days.

huber · February 24, 2017, 4:39pm

Thanks a lot Patrick for your suggestions. I will try on monday with a certificate from comodo, which seems to offer the current route in some way.

Later on I will try the bootstrap way (when I have a bit more time).

Regards,
Robert

patrick:
With bootstrap Java Web Start only needs to validate the bootstrap.jar and that is signed by Servoy. All the other libraries are then loaded by bootstrap itself (which is the whole point about the bootstrapper). There is no need to download a latest version, as far as I know it ships with Servoy these days.

IT2Be · February 24, 2017, 4:57pm

Hi Robert,

I worked with Global Sign before and moved to Comodo last year.
The process was smoother than with Global Sign.

huber · March 3, 2017, 9:02am

Thanks Marcel. I ordered a Comodo Certificate and it works - getting a .p12 File and being able to further use Patrick Talbots Code Signer.

IT2Be:
Hi Robert,

I worked with Global Sign before and moved to Comodo last year.
The process was smoother than with Global Sign.

Regards,

Topic		Replies	Views
Global Sign USB Token Issue Classic Servoy	2	9750	May 27, 2019
Instructions to auth keystore with code signing cert needed Classic Servoy	10	12476	January 27, 2014
code signing Classic Servoy	5	5971	December 4, 2013
Jar signing problem Classic Servoy	5	5898	June 14, 2013
Certificates & Older Java Versions Classic Servoy	28	21256	May 27, 2010

Code signing process changed

Related topics