MIME-Version: 1.0 Date: Tue, 18 Aug 2020 10:45:19 -0400 References: In-Reply-To: Message-ID: Subject: Fwd: summary of java cert stuff From: Leland Pierce To: Leland Pierce Content-Type: text/plain; charset="UTF-8" from 2014 ------------------------------------------------------------------------------------- Leland E. Pierce Assoc. Research Scientist Radiation Lab, EECS Dept, The University of Michigan 1301 Beal Ave, Ann Arbor, MI 48109-2122 lep@eecs.umich.edu TEL:734-763-3157 FAX:734-647-2106 ---------- Forwarded message --------- From: Leland Pierce Date: Mon, Jan 27, 2014 at 9:13 AM Subject: summary of java cert stuff To: Leland Pierce iHLn4LZ2-jvnPn7rkBn0Wa-c9 If you launch Firefox, then goto "Edit" > "Preferences" > "Advanced" Tab > "Certificates" sub-Tab > Click "View Certificates" button On the new window that pops up, select the "Your Certificates" Tab and you should see a new item there, named "University of Michigan" which is your signing cert. To get it, you need to "export" it, which ends up in Firefox as being "Backup...". So select the code-signing cert, and press the "Backup ..." button. Export it as a PKCS12 file, which will require you create a password for it. pe6rdb;; After you've successfully exported it, you can then use it as a code-signing cert. You may need to check to make sure that you have the cert and the CA chain. If not, you may need to add the CA chain in. The last time I tried this last year, they had a problem with the tool with Firefox and not including the CA cert. They had claimed that they corrected this, but probably good to verify. Let me know if you need more info in regards to checking a PKCS12 file for contents. Also, if you are unfamiliar with using a code-signing cert or timestamping capability within the java or ant tool chain, let me know. ================================================= keytool -list -keystore ../../michigan_security_certificate.p12 -storetype PKCS12 Enter keystore password: Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry university of michigan's internet2 id, Jan 22, 2014, PrivateKeyEntry, Certificate fingerprint (MD5): 7C:22:43:1E:81:8F:28:37:F3:A0:F5:29:DC:12:CA:AA ================================================= keytool -list -v -keystore ../../michigan_security_certificate.p12 -storetype PKCS12 jarsigner -keystore ../../michigan_security_certificate.p12 -storetype PKCS12 mod25.jar "university of michigan's internet2 id" jar cfm mod25.jar ../../manifest_addition.txt *class *ttf Also, I'm not sure if you timestamp or not. I find many times java devs don't understand what timestamping is or why it's important. If you are already aware, I apologize, but if not then this may be useful. When a jar is signed, it is good for the duration of the signature. Unfortunately, it's only point of reference with regard to time is the system clock. Therefore when the system clock time falls outside of the certificate's validity, the code also expires. When your cert expires, you have to renew the cert and then resign your entire library of jars that you ever signed over the lifetime of the cert. This is where timestamping makes all the difference. Timestamping gives the code a fixed time point of reference when the code is signed. When the validity is checked, it is checked against the time it was signed which means the time of signature falls within the certificate validity. The signed and timestamped code is valid forever. It will not expire with the cert. Therefore there's no need to re-sign all the java code for the expired cert; it is valid until you need to change the code and resign (and therefore re-timestamp). Typically to add a timestamp is quite easy: it is typically just another argument supplying the timestamp authority. In the case of InCommon for java code signing, the TSA is http://timestamp.comodoca.com/rfc3161, which is probably the most difficult part of timestamping: locating the right TSA URL. Simply because the TSA URL for timestamping signed microsoft code is different than the TSA for timestamping signed java code. Anyway, just in case you want to cover that as well, since it is beneficial to java developers when learning about signed code. It seems to be an obscure yet an important feature of signing which usually gets overlooked. ------------------------------------------------------------------------------------- Leland E. Pierce Assoc. Research Scientist Radiation Lab, EECS Dept, The University of Michigan 1301 Beal Ave, Ann Arbor, MI 48109-2122 lep@eecs.umich.edu TEL:734-763-3157 FAX:734-647-2106