Instructions to auth keystore with code signing cert needed

Questions, answers, tips and ideas on Servoy Client

Instructions to auth keystore with code signing cert needed

Postby SteveInLA » Tue Dec 03, 2013 1:13 am

The instructions on the Servoy wiki for authorizing a self-signed keystore with an SSL certificate are very clear, but the resulting authorized keystore no longer works for signing jar files. I have done quote a bit of searching but haven't found any clear instructions for adding the data from a code signing certificate to an existing keystore. Can someone either post instructions or post a link to relevant web sites?
Thanks,
Steve in L.A.
SteveInLA
 
Posts: 227
Joined: Thu Jul 29, 2004 12:00 am
Location: Los Angeles, CA

Re: Instructions to auth keystore with code signing cert ne

Postby SteveInLA » Tue Dec 03, 2013 7:53 am

I should mention that I purchased a code signing certificate from Comodo 6 months ago. The purchase process was very different from purchasing an SSL certificate in that I don't think it asked me for a CSR. If I remember correctly, it installed a certificate directly into Internet Explorer and I used Internet Options to export a file that could then be used with Java's jarsigner to sign a jar. I looked into VeriSign (Symantec) and found that they have a Java-specific code signing certificate and they do ask for a CSR when purchasing, but these cost $499 for 1 year vs. $179 for Comodo's. Am I stuck now having to purchase a different code signing certificate? It doesn't seem clear how to use my current certificate with the signtester tool.

Steve in L.A.
SteveInLA
 
Posts: 227
Joined: Thu Jul 29, 2004 12:00 am
Location: Los Angeles, CA

Re: Instructions to auth keystore with code signing cert ne

Postby mboegem » Tue Dec 03, 2013 11:36 am

Hi Steve,

kind of the same discussion was going on here: viewtopic.php?f=11&t=19996

Basically everything that's written applies to code signing as well.
The only thing that's different (and confusing to a lot of people) is everywhere 'SSL certificate' is mentioned, you should read 'Code signing certificate'

If you have an account with Comodo, you probably can request a new certificate for the remainder of the period.
In that case you should be able to use a CSR to generate this certificate.

If you don't want to use Comodo anymore, have a look at GlobalSign or Thawte.
GlobalSign has a nice tutorial on this which shouldn't be much different for any other authority: https://support.globalsign.com/customer ... es/1352403

Hope this helps
_____________________
Marc Boegem
Solutiative / JBS Group, Partner
• Servoy Certified Developer
• Servoy Valued Professional
• Freelance SAN Developer

Image
User avatar
mboegem
 
Posts: 1528
Joined: Sun Oct 14, 2007 1:34 pm
Location: Amsterdam

Re: Instructions to auth keystore with code signing cert ne

Postby SteveInLA » Tue Dec 03, 2013 9:46 pm

I suspect that my problems stem from Comodo's code signing certificate. I spoke to Comodo's tech support and explained that I needed to be able to import the code signing certificate into a keystore and was told that all I needed to do was export a copy of the certificate that was installed by them in my browser and user keytool -import to import it. After many hours of trial and error, I finally was able to import the certificate, or so I thought. Once the certificate was imported into the keystore, I used it with the signtester tool, but when the tool finished signing the jars and I launch a solution, I get the Java warning indicating that the jars are signed with an unknown publisher and looking at the certificate details, none of the code signing certificate details are present. If I try to use the signtester with the code certificate directly either with or without the private key, I get this:
Code: Select all
Verifiying dir: .\beans

Unsigning: chart.jar
C:\Servoy 7.3.x\application_server\.\beans\chart.jar unsigned (renamed)
C:\Servoy 7.3.x\application_server\.\beans\chart.jar repacked
java.lang.RuntimeException: exit not allowed, status = 1
        at com.servoy.jarsigner.SignerTest$1.checkExit(SignerTest.java:100)
        at java.lang.Runtime.exit(Unknown Source)
        at java.lang.System.exit(Unknown Source)
        at sun.security.tools.JarSigner.run(Unknown Source)
        at com.servoy.jarsigner.SignerTest.dir(SignerTest.java:238)
        at com.servoy.jarsigner.SignerTest.main(SignerTest.java:128)
C:\Servoy 7.3.x\application_server\.\beans\chart.jar repacked
java.lang.RuntimeException: exit not allowed, status = 1
        at com.servoy.jarsigner.SignerTest$1.checkExit(SignerTest.java:100)
        at java.lang.Runtime.exit(Unknown Source)
        at java.lang.System.exit(Unknown Source)
        at sun.security.tools.JarSigner.run(Unknown Source)
        at com.servoy.jarsigner.SignerTest.dir(SignerTest.java:238)
        at com.servoy.jarsigner.SignerTest.main(SignerTest.java:128)
Exception in thread "main" java.lang.RuntimeException: exit not allowed, status = 1
        at com.servoy.jarsigner.SignerTest$1.checkExit(SignerTest.java:100)
        at java.lang.Runtime.exit(Unknown Source)
        at java.lang.System.exit(Unknown Source)
        at sun.security.tools.JarSigner.run(Unknown Source)
        at com.servoy.jarsigner.SignerTest.dir(SignerTest.java:260)
        at com.servoy.jarsigner.SignerTest.main(SignerTest.java:128)


I think my next step is to buy a code signing certificate from another company. This is not the first problem I have had with Comodo certificates.

Steve in L.A.
SteveInLA
 
Posts: 227
Joined: Thu Jul 29, 2004 12:00 am
Location: Los Angeles, CA

Re: Instructions to auth keystore with code signing cert ne

Postby keenkenny » Tue Dec 03, 2013 11:24 pm

Steve,

I went through this process a couple months ago and encountered the "exit not allowed, status = 1" problem you're describing. Are you sure Servoy Developer or Server are not running while using the signtester.jar? If I'm recalling right, I found I had something running while using the signtester.jar which produced this error.

Regards,

Ken
Ken Keen
KeenEyes Interactive, Inc.
SAN Developer
keenkenny
 
Posts: 70
Joined: Sun Jun 01, 2003 10:31 pm
Location: Cedar City, UT

Re: Instructions to auth keystore with code signing cert ne

Postby Harjo » Tue Dec 03, 2013 11:30 pm

With a code signing certificate you don't have to re-import the certificate into a keystore.

what we did with Globalsign (and I believe it's the same Comodo) you install the certificate (in our case) into Firefox
Also make sure that you install the intermediate and the root certificate, of the issuer (GlobalSign or Comodo)

(This is all done, when you receive your certificate from the GlobalsSign or Comodo site)

than in firefox, export your certificate to a PKCS12 file. (give it a password)
and than: http://portecle.sourceforge.net/
to the rescue!

install/uzip this tool and also install:
for Java 6: http://www.oracle.com/technetwork/java/ ... 29243.html
or for Java 7: http://www.oracle.com/technetwork/java/ ... 32124.html
(Unzip the content of this zip and place the files into your java/lib/security folder)

Open portecle.jar and than open your certificate in this tool. (with the password you give, when you exported)
You should see three files, your certificate, the intermediate and the root.

Now you can convert/change this file, to a java keystore file (JKS) (it defaults set's your certificate password to: 'password')
you can rightclick on your certificate file, to rename it, to an easier alias, and you can right-click on your certificate, to set a new password

Now save the file to for example: mysignedcertificate.jks.

Use that file with the signtester and your done!
Harjo Kompagnie
Direct ICT / Servoy Hosting / ServoyCamp
Servoy Certified Developer
Servoy Valued Professional
SAN Developer
User avatar
Harjo
 
Posts: 4307
Joined: Fri Apr 25, 2003 11:42 pm
Location: DEN HAM OV, The Netherlands

Re: Instructions to auth keystore with code signing cert ne

Postby SteveInLA » Wed Dec 04, 2013 1:50 am

I thank my lucky stars for you, Harjo! Your instructions worked almost perfectly, though the part that isn't perfect may not have to do with this procedure. Once everything is signed, launching a solution shows this warning even though I included -Dcodebase=servoytest.dakim.com when calling signtester:

warning.jpg
warning.jpg (55.88 KiB) Viewed 7076 times


None of the errors that used to appear in the Java console warning about the manifest missing permission are appearing now. Is the jnlp file causing this warning? I am launching from a deep link URL so the jnlp is created each time the solution is launched.

Steve in L.A.
SteveInLA
 
Posts: 227
Joined: Thu Jul 29, 2004 12:00 am
Location: Los Angeles, CA

Re: Instructions to auth keystore with code signing cert ne

Postby Harjo » Wed Dec 04, 2013 9:29 am

I'm happy that it worked for you also! :-)

You are almost there!
Because Servoy uses an unsecure vmarg:
Schermafbeelding 2013-12-04 om 08.24.20.png
Schermafbeelding 2013-12-04 om 08.24.20.png (11.08 KiB) Viewed 7055 times


remove this line by a space! (because if you remove it completly, Servoy will add automaticly back again.
Restart Servoy. Now the security dialog will change from the yellow warning icon, to a normal icon.

There is still one issue left, and that is that the yellow balloon, saying that it is missing some permissions, will stay.
Here is a disccusion / explanation that it's a bug in Java : https://www.servoyforge.net/issues/745#note-23
Harjo Kompagnie
Direct ICT / Servoy Hosting / ServoyCamp
Servoy Certified Developer
Servoy Valued Professional
SAN Developer
User avatar
Harjo
 
Posts: 4307
Joined: Fri Apr 25, 2003 11:42 pm
Location: DEN HAM OV, The Netherlands

Re: Instructions to auth keystore with code signing cert ne

Postby mboegem » Wed Dec 04, 2013 11:18 am

Harjo wrote:and than: http://portecle.sourceforge.net/ to the rescue!


You probably can use Keystore explorer as well: http://keystore-explorer.sourceforge.net
_____________________
Marc Boegem
Solutiative / JBS Group, Partner
• Servoy Certified Developer
• Servoy Valued Professional
• Freelance SAN Developer

Image
User avatar
mboegem
 
Posts: 1528
Joined: Sun Oct 14, 2007 1:34 pm
Location: Amsterdam

Re: Instructions to auth keystore with code signing cert ne

Postby GabrielWyss » Wed Dec 11, 2013 11:04 am

I also had al lot of problems with my SwissSing Certificate.
The procedures described above have not worked for me.

In a first step, I had to import the p12 certificate with the 'KeyStore Explorer'.
Then I exported the certificate with the option 'Export Key Pair' back.
It is interesting, that the exportet certificate has the same amount of bytes as the original certificate but another content!
In a next step I had importet that exportet certificate with Protecle (also interesting, that I could not import the original certificate here).
Then I had converted the certificate to a Keystore and renamed the alias.
With this KeyStore I was able to resign my JAR files.
Gabriel Wyss
om computer - SAN Partner
http://www.omcomputer.ch
GabrielWyss
 
Posts: 83
Joined: Tue Jul 13, 2010 2:12 pm
Location: Cham, Switzerland

Re: Instructions to auth keystore with code signing cert ne

Postby jos@devoon.nl » Mon Jan 27, 2014 2:13 pm

I just insatlled java 7_51 on our application server. Servoy runs fine. To get rid of the jnlp warning see above I did what harjo suggested. The box now also contains a checkbox to make it dissapear after the first startup. But the warning is still there and saying the application will be blocked in the future...
Who is going to do something about this?
Attachments
javaWarning.PNG
javaWarning.PNG (22.32 KiB) Viewed 6455 times
Jos Uitenbogaard
Devoon
User avatar
jos@devoon.nl
 
Posts: 60
Joined: Tue Oct 25, 2011 11:59 am
Location: Reeuwijk NL


Return to Servoy Client

Who is online

Users browsing this forum: No registered users and 1 guest