JavaCodeSigningTest

Here is a comparison of java codesigning with CAcert and freemail Thawte certificates, timestamping provided by Certum.pl see TimeStamping but note that the Certum timestamping CA cert needs to be added to the Java runtime keystore by the user. For an alternative timestamping method not requiring user involvement see JavaTimeStamping.

We have created 4 certificates and tested them on 4 copies a jar file using java keytool.

Certificate provider

type of certificate

test result

URL

CAcert

client + codesigning

OK (needs "cacerts" file updated to work flawlessly)

http://www.tiebogos.fr/pasta

CAcert

client

cannot verify signature

http://www.tiebogos.fr/broken_pasta

Thawte

freemail

cannot verify signature

http://www.tiebogos.fr/broken_pasta_thawte

Thawte

freemail + codesigning (no extensions)

OK (works seamlessly)

http://www.tiebogos.fr/pasta_thawte

So email-only certificates do not allow a proper java codesigning, you need codesigning ability in the certificate to sign java files !

/!\ As of november 2009, Thawte freemail program and java codesigning has been discontinued.

In case you need, please contact guillaume (at) cacert.org

here are the signed jars as of Nov 25th 2007 :

pasta1.jar pasta2.jar pasta3.jar pasta4.jar

Here are the details of the tests (basic details of the certs, signature of the jars, verification of the signature of the jars) :

*******************************************************************************

SIGNATURE WITH TIMESTAMPING (CERTUM.PL service)

*******************************************************************************
[gr@gr codesigning_11_2007 0/0]$ jarsigner -storetype pkcs12 -keystore gr_CAcert_CS_free.fr_19_11_2007.p12 -tsa "http://time.certum.pl/" pasta1.jar "guillaume frederic romagny's root ca id"
Enter Passphrase for keystore:
*******************************************************************************
[gr@gr codesigning_11_2007 0/0]$ jarsigner -storetype pkcs12 -keystore gr_CAcert_free.fr_19_11_2007.p12 -tsa "http://time.certum.pl/" pasta2.jar "guillaume romagny's root ca id"
Enter Passphrase for keystore:
Warning:
The signer certificate's ExtendedKeyUsage extension doesn't allow code signing.
*******************************************************************************
[gr@gr codesigning_11_2007 0/0]$ jarsigner -storetype pkcs12 -keystore gr_thawte_free.fr_19_11_2007.p12 -tsa "http://time.certum.pl/" pasta3.jar "guillaume romagny's thawte consulting (pty) ltd. id"
Enter Passphrase for keystore:
Warning:
The signer certificate's NetscapeCertType extension doesn't allow code signing.
*******************************************************************************
[gr@gr codesigning_11_2007 0/0]$ jarsigner -storetype pkcs12 -keystore gr_thawte_CS_19_11_2007.p12 -tsa "http://time.certum.pl/" pasta4.jar "golfromeo"
Enter Passphrase for keystore:
*******************************************************************************

TESTING SIGNATURE

*******************************************************************************
[gr@gr codesigning_11_2007 0/0]$ jarsigner -verbose -verify -certs pasta1.jar

jar verified.
*******************************************************************************
[gr@gr codesigning_11_2007 0/0]$ jarsigner -verbose -verify -certs pasta2.jar

jar verified.
Warning:
This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing.
*******************************************************************************
[gr@gr codesigning_11_2007 0/0]$ jarsigner -verbose -verify -certs pasta3.jar

jar verified.
Warning:
This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing.
*******************************************************************************
[gr@gr codesigning_11_2007 0/0]$ jarsigner -verbose -verify -certs pasta4.jar

jar verified.


JavaCodeSigningTest (last edited 2016-02-10 14:35:32 by AlesKastner)