Page 1 of 1

Global Sign USB Token Issue

PostPosted: Fri May 24, 2019 6:09 pm
by kwpsd
Our Global Sign security certificate expires this year in August, so we recently renewed it for another 3 years. Instead of sending a pfx file as in the past, Global Sign sent a USB token (memory stick plus drivers) onto which you download and install your certificate via a secure program. When you want to sign jar files, you insert the USB token into your computer and one-by-one sign jar files via command line and drivers. The USB token is for better security which we understand.

Our customer base is located throughout the USA and Canada, and when we remotely update a customer's Servoy server, we use Code Signer (remotely) to re-sign the jar files with our certificate. The problem is Code Signer requires a Java key store file (jks), but Global Sign does not allow you to extract the certificate from the USB token in order to create the jks file, thus rendering Code Signer (and the USB token) useless for remote use. The USB token files are not accessible/readable via Windows File Explorer or via PowerShell (only through the supplied drivers)...probably, encrypted.

I suppose we could sign the jar files on our computers, then upload them to our customers' servers, but that seems to be an inefficient solution. Anyone using a USB token to sign jar files. Any recommendations/suggestions how to get around this issue? How are others providing signed jar files with their own certificate Servoy jar files to remote customers?


Re: Global Sign USB Token Issue

PostPosted: Sat May 25, 2019 10:29 am
by mboegem
Hi Kim,

Have made the 'mistake' to go with this global sign option last year.
There's really no way to use the code signer with the USB token.
The only way to sign jar files is manually through command-line as described in their documentation (and only on one of your local machines), which is basically undoable for all jars.

An easier way would be to start using Servoy's bootstrap.jar, which requires only 1 jar file to be signed (the bootstrapper is the only file that will be checked by Java webstart, all the other files can do without code signing or even a mixture of signatures). Still have to do it manually, but at least it's only 1 file.
Using bootstrap will make you solution initial download a bit faster as well, but your users will need to launch the solution in a slightly different way. ... d=23856169

If you don't want to go this way at all, try to return the USB token and start using a certificate through 'Sectigo' (previously Comodo).
They will deliver a certificate 'on disk', which only requires a bit of conversion to turn it into a java keystore.

Probably not the news you were waiting for on the weekend, but hope it helps to decide what's best for you.

Re: Global Sign USB Token Issue

PostPosted: Tue May 28, 2019 12:19 am
by kwpsd
Hi, Marc.

I hope you are doing well.

You are right...not the news I wanted to hear ( :D ) but have been comtemplating the move to the bootstrap loader for other reasons. It looks like Global Sign is forcing my hand. Hopefully, a good thing!

Thanks for responding!