• CodesigningCert

česky | english

Code Signing Certificates

What do I need to get a code signing certificate from CAcert?

Individual CAcert users

For the code signing ability, you need to be an Assurer CPS 4.2.6. This means at least 100 assurance points and having passed the AssurerChallenge. Once that is done, you can send an email to support #at# cacert.org to request Code-Signing ability to be activated for your account.

• For more on Assurance Points, please see FAQ/AssuranceIntroduction.

• For more on the AssurerChallenge, see the AssuranceHandbook2.

• How long will it take to get the certificate at CAcert ? Currently a couple of days.

Organisations and Codesigning

As of March 2008, Organisations registered with CAcert can create codesigning certificates with the name of the Organisation included in the certificate.

Once the Organisation is registered, you get the ability to do codesigning. Please see Organization Assurance Manual. For additional questions mail to : support#at#cacert.org

Obtaining a Code Signing Certificate

Prerequisites: Code-Signing ability must be activated for your account.

1. Log into your CACert cccount
2. Go to Client Certificate and click on [New]
3. Check [Code Signing] and click on [Next]
4. Request your certificate
5. Right click on the install certificate link, choose [save as] and store your client certificate into a file

Basic Purposes of Code Signing

Code signing allows end users to authenticate You, the certificate holder who has written some code, for example, java code in a pasta.jar file.

Beware : Code Signing ≠ Security

When done properly, code signing proves the authenticity and integrity of code. However, code signing provides no guarantee of the code’s safety or reliability. So, the joke is that, at least, the end-user will know your name just before he/she let you erase all their hard disk content. See Schneier on Security for a discussion.

Java (Example)

In the Java World, the Java Virtual Machine can control all the user's machine. Yes, it can be a security issue. So, any code you can download on the internet has a limited set of abilities on your computer. Then, if you intend to use more powerful functions on the user's computer, you will have to sign the code you provide. And hope the user to trust you as a last resort !

Please see JavaCodeSigningTest

• the CAcert root cert has to be loaded in the JavaVM not only in the web browser

• Here is a copy of the modified JRE keystore with CAcert root + CAcert class 3 root certs cacerts MD5 hash : e7a2e4682d2578e4f8715909b62a8a36 "cacerts" file can be found at java/jre/lib/security/ please make a copy of the original file first

Starting with Java 5, jarsigner tool supports TimeStamping (on linux ubuntu try man jarsigner for help). So, you don't need to redeploy the application when the codesigning certificate expires. But on the other side, you need to include the certificate of the timestamp certification authority if not included in the jvm.

please see http://mindprod.com/jgloss/signedapplets.html

Examples of signed application

Simple examples :

• CAcert codesigning (it needs an updated "cacerts" file) : see tiebogos' pasta (it does not erase your disk, it helps avoid your pasta being overcooked)

• Thawte freemail codesigning : see here

any comment to guillaume (at) cacert.org please !

Platforms that Accept CAcert Code Signing Certificates

A code signing certificate has special attributes ¹ to allow it to be accepted by applications from Microsoft, Sun, Mozilla, etc. as a code signing certificate.

However, these certificates will only work if the CAcert root cert is installed and trusted by the end-user and if the end-user agrees to execute the code.

How can I use my code signing certificate? (java example)

The code signing privilege can be added to the new email certificates you will obtain from the CAcert website.

Once you are approved, the next time you'll request an email certificate, you will find an option to include the code signing privilege.

see Richard Dallaway web start & cacert, freemail thawte code signing or better here http://www.crionics.com/products/opensource/faq/signFree.htm ( note : as of November 2009, thawte freemail program including free java codesigning has been discontinued.)

• list the certificates in the keystore (replace jks for storetype and .ks as keystore)

keytool -list -storetype pkcs12 -keystore keystore.p12

• sign the jar file

jarsigner -storetype pkcs12 -keystore keystore.p12 pasta.jar "guillaume frederic romagny's root ca id #2"

• sign the jar file with timestamping (make sure to keep the arguments in that order!)

jarsigner -storetype pkcs12 -keystore keystore.p12 -tsa "http://time.certum.pl/" pasta.jar "guillaume romagny's root ca id"

• verify the signed jar

jarsigner -verbose -verify -certs pasta.jar

How do I use my code signing certificate with Microsoft Authenticode?

In order to sign code using Microsoft Authenticode, you must break down the PKCS#12 file into the intermediate private key and PKCS#7 files that it contains in order to use it with applications supporting Authenticode. Since I have yet to see one that supports the PKCS#12 format yet I have contributed instructions in doing so. see the Authenticode wiki page for instructions.

Authenticode prefers timestamping to avoid redeployment of applications when certificate expires. https://digitalid.verisign.com/developer/help/mscs_faq.htm

Verisign timestamping service URL

http://timestamp.verisign.com/scripts/timstamp.dll

More info on TimeStamping

Converting keystores

Java 1.4 can read pkcs12 format but cannot write this format. The jks Java key Store is pretty unconvenient (pkcs12 too btw). You may want to convert your keystore from jks to pkcs12. Especially when generating a Thawte Freemail code signing certificate.

see Keytool IUI based on Bouncy Castle Crypto API

• {en} Keytool IUI

• {fr} KeyTool IUI

• the Legion of the Bouncy Castle

• EJBCA use Bouncy Castle you can find code & tools

Steps needed for Java developers to test a signed applet in a browser

You need to add the CAcert root certificate (and maybe the Class 3 sub-root cert) in the JVM CA certificate store. Under Linux, you'll find the command "ControlPanel" in the JRE "bin" folder (javacpl.exe under MS Windows).

Linux

• http://www.jukie.net/~bart/elfpgp/ (uses GPG keys)

• http://www.hick.org/code/skape/elfsign/

• http://sourceforge.net/projects/disec (uses GPG keys)

• http://blogs.sun.com/roller/page/darren/Weblog/signed_solaris_10_binaries

• http://www.dia.unisa.it/staff/luicat/home/publications/scn02.pdf (broken link)

• http://libeccio.dia.unisa.it/wlf/ (broken link)

Signing Mozilla XPI Packages (Firefox, Thunderbird)

You can use CAcert code signing certificates to sign Mozilla XPI packages for Mozilla applications like Firefox and Thunderbird.

Mozilla applications require a value in the Organisation field for the UI to report that the item is signed. Only Organisations registered with CAcert can do codesigning with Mozilla plug-ins. Please see OrganisationAssurance.

Individual CAcert users with codesigning ability can use the instructions below but Mozilla applications will still report the item as Unsigned. See bug 372980. Fixed in Firefox 3.5.6 & Thunderbird 3.0.1pre.

• NSS Security tools

• http://forums.tjworld.net/viewtopic.php?t=130 Comprehensive instructions on obtaining, installing, and using a code-signing certificate on Windows for Mozilla XPI extension packages.

• http://developer.mozilla.org/en/docs/Code_snippets:Signing_a_XPI Cache of the previous link as it's no longer available

• http://www.mozdevgroup.com/docs/pete/Signing-an-XPI.html Basic cross-platform instructions using a self-signed certificate, by Pete Collins.

To use the CAcert certificate to sign the XPI package, you should perform the following steps:

1. Install the code signing certificate in your browser.

2. Extract the NSS utility binaries as outlined in Pete's instructions above.

3. Identify your certificate database, which is usually in your profile directory. One way to identify your profile directory is to find all of the "key3.db" files in your home directory:

   • find ~ -name key3.db

4. If you find multiple directories, then for each directory that contains a key3.db file, you should list out the certs contained there to find your new code signing certificate (it may be marked with an "*" in the first column), using the command:

   • signtool -L -d <certificate database directory>

5. Having found the correct directory, the entry may appear as:

   • * Joe Normal's Root CA ID

6. Following the XPI signing instructions above, extract the unsigned XPI package into a directory.

7. Run this signtool command (this command works as of NSS 3.11.4):

   • signtool -d <the key3.db dir> -k "Joe Normal's Root CA ID"-p <password>
     -X -Z <XPI package file name> <directory-tree>

8. Your signed XPI package <XPI package file name> will be ready.

9. If you want to verify the signature on your package, use the following two commands:

   • signtool -v <XPI package file name>
     signtool -w <XPI package file name>

Inputs & Thoughts

• 20091206-PhilippGuehring / DieterHenning by e-mail

• Activate Code-Signing for Organizations
  
  > Nachdem Code-Signing freigeschalten wurde, müsst ihr nun ein neues Zertifikat ausstellen, und beim ausstellen darauf aufpassen, dass ihr Code-Signing für das Zertifikat aktiviert. Ich glaube Code-Signing ist bei Javascript-fähigen Browsern derzeit unter "Erweiterte Optionen" versteckt.
  
  > Schöne Grüße,
  > Philipp Gühring
  
  Der Ablauf ist wie folgt.
  
  1.) Ich als Org-Admin muss mir ein persönliches Zertifikat ausstellen lassen *mit* der Code-Signing-Eigenschaft.
  
  2.) Danach kann ich bei Org-Client-Zertifikaten *auch* diese Eigenschaft schalten.
  
  Das habe ich getan und ich habe in beiden (neuen) Zertifikaten die notwendigen Informationen.
  
  Genauer:
  
  1.) Man muss tatsächlich als Einzel-Person das beantragen.
  
  2.) Dann muss man es wiederum als Einzelperson einmal benutzten für
  einem Antrag für ein Client-Zertifikat.
  
  3.) Dann hat mal als Org-Admin die Möglichkeit, dass im Dialog
  einzuschalten.
  
  Danke für die Unterstützung und mit freundlichen Grüssen
  Dieter Hennig

• YYYYMMDD-YourName

• Text / Your Statements, thoughts and e-mail snippets, Please

Category or Categories

CategoryAudit
CategorySoftware
CategoryOrganisationAssurance
CategoryAssurance