code signing

Questions and answers for all installation-related topics for Servoy products

code signing

Postby jos@devoon.nl » Mon Nov 11, 2013 4:14 pm

Because in java 7 all code must be properly signed with a valid certificate, we followed these steps:

https://wiki.servoy.com/display/tutoria ... ertificate
https://wiki.servoy.com/display/tutoria ... +Authority
https://wiki.servoy.com/display/tutorials/JAR+signing

We got a free (test) certificate from the http://www.instantssl.com website and we got succesfully our crt file back vald for 90 days. Imported the crt file into our ks file succesfully (including the 'parents'). Then we used the ks file to sign all the jars in de application folder. Cleared the de java cache, restarted the Servoy applicationserver. When starting a smartclient this message comes up:
sun.security.validator.ValidatorException: Extended key usage does not permit use for code signing
at sun.security.validator.EndEntityChecker.checkCodeSigning(Unknown Source)
at sun.security.validator.EndEntityChecker.check(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Are we doing something wrong?
Jos Uitenbogaard
Devoon
User avatar
jos@devoon.nl
 
Posts: 60
Joined: Tue Oct 25, 2011 11:59 am
Location: Reeuwijk NL

Re: code signing

Postby patrick » Mon Nov 11, 2013 6:43 pm

Sounds like the certificate is not a code signing certificate, but "just" a SSL certificate. You need a code signing certificate.
Patrick Ruhsert
Servoy DACH
patrick
 
Posts: 3703
Joined: Wed Jun 11, 2003 10:33 am
Location: Munich, Germany

Re: code signing

Postby jos@devoon.nl » Tue Nov 12, 2013 9:08 am

Sounds like the certificate is not a code signing certificate, but "just" a SSL certificate. You need a code signing certificate.


So the Servoy documentation on this is wrong?

See: https://wiki.servoy.com/display/tutorials/JAR+signing
Jos Uitenbogaard
Devoon
User avatar
jos@devoon.nl
 
Posts: 60
Joined: Tue Oct 25, 2011 11:59 am
Location: Reeuwijk NL

Re: code signing

Postby ROCLASI » Tue Nov 12, 2013 12:40 pm

Hi Jos,

I guess you are referring to the page linked in that page (https://wiki.servoy.com/display/tutoria ... +Authority).
And indeed that talks about an SSL certificate. That page is correct when you want to use an SSL connection on your Servoy server but not for when you want to resign your jars. At least the reference to an SSL certificate is wrong in this context.
Robert Ivens
SAN Developer / Servoy Valued Professional / Servoy Certified Developer

ROCLASI Software Solutions / JBS Group, Partner
Mastodon: @roclasi
--
ServoyForge - Building Open Source Software.
PostgreSQL - The world's most advanced open source database.
User avatar
ROCLASI
Servoy Expert
 
Posts: 5438
Joined: Thu Oct 02, 2003 9:49 am
Location: Netherlands/Belgium

Re: code signing

Postby jos@devoon.nl » Tue Nov 12, 2013 12:55 pm

I'm indeed referring to the links on that page. May be someone can improve those explanations...? It is confusing for the non Java and/or non certificate experts :)
Since it gets mandatory to sign all the jars officially and properly in the near future...
Thanks!
Jos Uitenbogaard
Devoon
User avatar
jos@devoon.nl
 
Posts: 60
Joined: Tue Oct 25, 2011 11:59 am
Location: Reeuwijk NL

Re: code signing

Postby jos@devoon.nl » Wed Dec 04, 2013 10:07 am

We purchased indeed a codesigning certificate from Thawte (it took them 1.5 week to check us out (-: instead of the mentioned 2 or 3 working days) but the process itself is not very difficult. In the end you can pick-up a bunch of codelines that have to be copy-pasted into a file that can be imported in the original .ks file. Basicly I followed all the steps again in the above explanations. Now our software is properly signed with one trusted signature (don't forget de codebase flag: -Dcodebase=* in the actual signtester command. The * means it can be anything... ).
Except for the yellow box about the Permissions attribute in the jnlp file, but I understood this is going to dissappear by itself when the next update (Servoy? Java?) is released.
Jos Uitenbogaard
Devoon
User avatar
jos@devoon.nl
 
Posts: 60
Joined: Tue Oct 25, 2011 11:59 am
Location: Reeuwijk NL


Return to Installation

Who is online

Users browsing this forum: No registered users and 5 guests