Servoy Forum

The instructions on the Servoy wiki for authorizing a self-signed keystore with an SSL certificate are very clear, but the resulting authorized keystore no longer works for signing jar files. I have done quote a bit of searching but haven't found any clear instructions for adding the data from a code signing certificate to an existing keystore. Can someone either post instructions or post a link to relevant web sites?
Thanks,
Steve in L.A.

I should mention that I purchased a code signing certificate from Comodo 6 months ago. The purchase process was very different from purchasing an SSL certificate in that I don't think it asked me for a CSR. If I remember correctly, it installed a certificate directly into Internet Explorer and I used Internet Options to export a file that could then be used with Java's jarsigner to sign a jar. I looked into VeriSign (Symantec) and found that they have a Java-specific code signing certificate and they do ask for a CSR when purchasing, but these cost $499 for 1 year vs. $179 for Comodo's. Am I stuck now having to purchase a different code signing certificate? It doesn't seem clear how to use my current certificate with the signtester tool.

Steve in L.A.

Hi Steve,

kind of the same discussion was going on here: viewtopic.php?f=11&t=19996

Basically everything that's written applies to code signing as well.
The only thing that's different (and confusing to a lot of people) is everywhere 'SSL certificate' is mentioned, you should read 'Code signing certificate'

If you have an account with Comodo, you probably can request a new certificate for the remainder of the period.
In that case you should be able to use a CSR to generate this certificate.

If you don't want to use Comodo anymore, have a look at GlobalSign or Thawte.
GlobalSign has a nice tutorial on this which shouldn't be much different for any other authority: https://support.globalsign.com/customer ... es/1352403

Hope this helps

I suspect that my problems stem from Comodo's code signing certificate. I spoke to Comodo's tech support and explained that I needed to be able to import the code signing certificate into a keystore and was told that all I needed to do was export a copy of the certificate that was installed by them in my browser and user keytool -import to import it. After many hours of trial and error, I finally was able to import the certificate, or so I thought. Once the certificate was imported into the keystore, I used it with the signtester tool, but when the tool finished signing the jars and I launch a solution, I get the Java warning indicating that the jars are signed with an unknown publisher and looking at the certificate details, none of the code signing certificate details are present. If I try to use the signtester with the code certificate directly either with or without the private key, I get this:

Code: Select all

Verifiying dir: .\beans

Unsigning: chart.jar
C:\Servoy 7.3.x\application_server\.\beans\chart.jar unsigned (renamed)
C:\Servoy 7.3.x\application_server\.\beans\chart.jar repacked
java.lang.RuntimeException: exit not allowed, status = 1
        at com.servoy.jarsigner.SignerTest$1.checkExit(SignerTest.java:100)
        at java.lang.Runtime.exit(Unknown Source)
        at java.lang.System.exit(Unknown Source)
        at sun.security.tools.JarSigner.run(Unknown Source)
        at com.servoy.jarsigner.SignerTest.dir(SignerTest.java:238)
        at com.servoy.jarsigner.SignerTest.main(SignerTest.java:128)
C:\Servoy 7.3.x\application_server\.\beans\chart.jar repacked
java.lang.RuntimeException: exit not allowed, status = 1
        at com.servoy.jarsigner.SignerTest$1.checkExit(SignerTest.java:100)
        at java.lang.Runtime.exit(Unknown Source)
        at java.lang.System.exit(Unknown Source)
        at sun.security.tools.JarSigner.run(Unknown Source)
        at com.servoy.jarsigner.SignerTest.dir(SignerTest.java:238)
        at com.servoy.jarsigner.SignerTest.main(SignerTest.java:128)
Exception in thread "main" java.lang.RuntimeException: exit not allowed, status = 1
        at com.servoy.jarsigner.SignerTest$1.checkExit(SignerTest.java:100)
        at java.lang.Runtime.exit(Unknown Source)
        at java.lang.System.exit(Unknown Source)
        at sun.security.tools.JarSigner.run(Unknown Source)
        at com.servoy.jarsigner.SignerTest.dir(SignerTest.java:260)
        at com.servoy.jarsigner.SignerTest.main(SignerTest.java:128)

I think my next step is to buy a code signing certificate from another company. This is not the first problem I have had with Comodo certificates.

Steve in L.A.

Steve,

I went through this process a couple months ago and encountered the "exit not allowed, status = 1" problem you're describing. Are you sure Servoy Developer or Server are not running while using the signtester.jar? If I'm recalling right, I found I had something running while using the signtester.jar which produced this error.

Regards,

Ken

With a code signing certificate you don't have to re-import the certificate into a keystore.

what we did with Globalsign (and I believe it's the same Comodo) you install the certificate (in our case) into Firefox
Also make sure that you install the intermediate and the root certificate, of the issuer (GlobalSign or Comodo)

(This is all done, when you receive your certificate from the GlobalsSign or Comodo site)

than in firefox, export your certificate to a PKCS12 file. (give it a password)
and than: http://portecle.sourceforge.net/
to the rescue!

install/uzip this tool and also install:
for Java 6: http://www.oracle.com/technetwork/java/ ... 29243.html
or for Java 7: http://www.oracle.com/technetwork/java/ ... 32124.html
(Unzip the content of this zip and place the files into your java/lib/security folder)

Open portecle.jar and than open your certificate in this tool. (with the password you give, when you exported)
You should see three files, your certificate, the intermediate and the root.

Now you can convert/change this file, to a java keystore file (JKS) (it defaults set's your certificate password to: 'password')
you can rightclick on your certificate file, to rename it, to an easier alias, and you can right-click on your certificate, to set a new password

Now save the file to for example: mysignedcertificate.jks.

Use that file with the signtester and your done!

I thank my lucky stars for you, Harjo! Your instructions worked almost perfectly, though the part that isn't perfect may not have to do with this procedure. Once everything is signed, launching a solution shows this warning even though I included -Dcodebase=servoytest.dakim.com when calling signtester:



None of the errors that used to appear in the Java console warning about the manifest missing permission are appearing now. Is the jnlp file causing this warning? I am launching from a deep link URL so the jnlp is created each time the solution is launched.

Steve in L.A.

I'm happy that it worked for you also!

You are almost there!
Because Servoy uses an unsecure vmarg:


remove this line by a space! (because if you remove it completly, Servoy will add automaticly back again.
Restart Servoy. Now the security dialog will change from the yellow warning icon, to a normal icon.

There is still one issue left, and that is that the yellow balloon, saying that it is missing some permissions, will stay.
Here is a disccusion / explanation that it's a bug in Java : https://www.servoyforge.net/issues/745#note-23

Harjo wrote:and than: http://portecle.sourceforge.net/ to the rescue!

You probably can use Keystore explorer as well: http://keystore-explorer.sourceforge.net

I also had al lot of problems with my SwissSing Certificate.
The procedures described above have not worked for me.

In a first step, I had to import the p12 certificate with the 'KeyStore Explorer'.
Then I exported the certificate with the option 'Export Key Pair' back.
It is interesting, that the exportet certificate has the same amount of bytes as the original certificate but another content!
In a next step I had importet that exportet certificate with Protecle (also interesting, that I could not import the original certificate here).
Then I had converted the certificate to a Keystore and renamed the alias.
With this KeyStore I was able to resign my JAR files.

I just insatlled java 7_51 on our application server. Servoy runs fine. To get rid of the jnlp warning see above I did what harjo suggested. The box now also contains a checkbox to make it dissapear after the first startup. But the warning is still there and saying the application will be blocked in the future...
Who is going to do something about this?