Ĩesky | english
JavaCodeSigningTest
Here is a comparison of java codesigning with CAcert and freemail Thawte certificates, timestamping provided by Certum.pl see TimeStamping but note that the Certum timestamping CA cert needs to be added to the Java runtime keystore by the user. For an alternative timestamping method not requiring user involvement see JavaTimeStamping.
We have created 4 certificates and tested them on 4 copies a jar file using java keytool.
Certificate provider |
type of certificate |
test result |
URL |
CAcert |
client + codesigning |
OK (needs "cacerts" file updated to work flawlessly) |
|
CAcert |
client |
cannot verify signature |
|
Thawte |
freemail |
cannot verify signature |
|
Thawte |
freemail + codesigning (no extensions) |
OK (works seamlessly) |
So email-only certificates do not allow a proper java codesigning, you need codesigning ability in the certificate to sign java files !
As of november 2009, Thawte freemail program and java codesigning has been discontinued.
In case you need, please contact guillaume (at) cacert.org
here are the signed jars as of Nov 25th 2007 :
pasta1.jar pasta2.jar pasta3.jar pasta4.jar
Here are the details of the tests (basic details of the certs, signature of the jars, verification of the signature of the jars) :
******************************************************************************* SIGNATURE WITH TIMESTAMPING (CERTUM.PL service) ******************************************************************************* [gr@gr codesigning_11_2007 0/0]$ jarsigner -storetype pkcs12 -keystore gr_CAcert_CS_free.fr_19_11_2007.p12 -tsa "http://time.certum.pl/" pasta1.jar "guillaume frederic romagny's root ca id" Enter Passphrase for keystore: ******************************************************************************* [gr@gr codesigning_11_2007 0/0]$ jarsigner -storetype pkcs12 -keystore gr_CAcert_free.fr_19_11_2007.p12 -tsa "http://time.certum.pl/" pasta2.jar "guillaume romagny's root ca id" Enter Passphrase for keystore: Warning: The signer certificate's ExtendedKeyUsage extension doesn't allow code signing. ******************************************************************************* [gr@gr codesigning_11_2007 0/0]$ jarsigner -storetype pkcs12 -keystore gr_thawte_free.fr_19_11_2007.p12 -tsa "http://time.certum.pl/" pasta3.jar "guillaume romagny's thawte consulting (pty) ltd. id" Enter Passphrase for keystore: Warning: The signer certificate's NetscapeCertType extension doesn't allow code signing. ******************************************************************************* [gr@gr codesigning_11_2007 0/0]$ jarsigner -storetype pkcs12 -keystore gr_thawte_CS_19_11_2007.p12 -tsa "http://time.certum.pl/" pasta4.jar "golfromeo" Enter Passphrase for keystore: ******************************************************************************* TESTING SIGNATURE ******************************************************************************* [gr@gr codesigning_11_2007 0/0]$ jarsigner -verbose -verify -certs pasta1.jar jar verified. ******************************************************************************* [gr@gr codesigning_11_2007 0/0]$ jarsigner -verbose -verify -certs pasta2.jar jar verified. Warning: This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing. ******************************************************************************* [gr@gr codesigning_11_2007 0/0]$ jarsigner -verbose -verify -certs pasta3.jar jar verified. Warning: This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing. ******************************************************************************* [gr@gr codesigning_11_2007 0/0]$ jarsigner -verbose -verify -certs pasta4.jar jar verified.