Signing a jar file with trusted certificate for JWS deployment

Question

I've developed an open source program, WPCleaner, which is distributed through Java Web Start. Current version is available at http://site4145.mutu.sivit.org/WikiCleaner/WikiCleaner.jnlp

With the recent updates in Java, it becomes more and more difficult to deploy Java applications through Java Web Start when you need the application to have a few permissions (writing in the preferences, accessing other web sites, ...)

My application was self-signed, which was ok before but new updates require users to accept the application every time they run it, not just once and for all if they wish. So, I decided to use a trusted certificate for signing my application.

I got one from Certum (apparently, they're free for open source developers), following this discussion: Code signing certificate for open-source projects?

I've generated a new jar file, signed with this certificate (jar file available at http://site4145.mutu.sivit.org/WikiCleaner/WikipediaCleanerTest.jar), but I still have problems: when I start the application through JWS, Java still displays a warning windows not letting me trust the application once and for all. Editor is still displayed as UNKNOWN, but when I look in the details of the message, it's my new certificate from Centrum that's being used.

Does anyone have an idea on what I'm doing wrong ? I thought that having a certificate from a trusted CA (Centrum seems to be in Java cacerts) would allow users to accept the certificate once and for all.

Thanks

PS: When I run jarsigner -verify, I get the following warning "This jar contains entries whose certificate chain is not validated."

Answer 1

I think I finally managed to do it following this procedure:

• Installed the certificate provided by Certum in Chrome through their web site interface
• Exported the private key as a .pfx from Chrome (Settings, Manage certificates, Export, Export the private key, PKCS#12, ...)
• Used KeyTool GUI (java fronted GUI for keytools) to create a complete p12: imported Certum root certificate as a trusted certificate, imported intermediate certificates as trusted certificates, imported my .pfx as a key pair
• Signed the jar with this p12

Seems to work for me, I'm waiting for other users feedback to be sure that it works for them also.

Edit: I tried again to export the certificate from Chrome, and I saw that there's an option to include the certificate chain in the export. When doing this, I don't even need to use the KeyTool GUI afterwards. I've redeployed the test version signed with this new p12 :

• Installed the certificate provided by Certum in Chrome through their web site interface
• Exported the private key as a .pfx from Chrome (Settings, Manage certificates, Export, Export the private key, PKCS#12 + include certificate chain, ...)
• Signed the jar with this p12

Answer 2

[Update 2017] Open Source code signing from Certum now uses a cryptographic flash card as a Private Key and must be plugged-in for certificate activation & installation, as well as for code signature. The key costs 125$ (+ shipping fee) and the 1-year certificate alone costs 40$. You can ask for a discount.

---

Here are the following steps to sign your jar file from scratch.

Instructions

Instructions in English are hard to find and not up to date. The following procedure is based on these 2 documents:

• Partial Instructions for Installation and Activation (English) - The part about file "bundle.pem" is missing.
• Complete Instructions for Installation and Activation (Polish)

Create, activate and install your certificate:

1. Go on the "Certum Certification" website in the "OpenSource Code Signing" section and order your certificate.
2. Once the cryptographic flash card is received (it took 15 days for me), plug it, install the driver and the proCertum CardManager software from the card.
3. Go to your Certum account and follow the activation process of your newly ordered certificate.

Tip: The CryptoAgent Java Web Start application runs only with a JDK (not JRE) < 9 (so, JDK 7 or 8).

4. You'll receive a mail asking for some official documents (ID card, rent bill, etc.) and an e-mail verification procedure.
5. Send the activation required documents and information. You'll receive another mail asking for installing the certificate (the verification was done within 1 hour).
6. Install the certificate on the cryptographic card following the procedure Storing the Certificate on the card (see the instructions in English, part 4)

Obtain the file "bundle.pem"

This file is mandatory for obtaining a valid certificate chain when signing your application (see the part 7.1.2 in the instructions in Polish).

Basically, it consists of concatenating in a plain text format file 1) your certificate and 2) the Certum Code Signing CA SHA2 public key.

1. Open proCertum CardManager >> Read Card >> tab Common >> Select your certificate and click "Show details"
2. Export your certificate: x509 - base-64
3. Download the Certum Code Signing CA SHA2 in PEM format (from the list of root certificates of Certum).
4. Create the text file "bundle.pem" by concatenating these 2 certificates (first your certificate and second the Certum certificate).

Sign your jar file with Jarsigner

1. Create the "provider.cfg" file as explained in the point 7.2 of the instructions in English.
2. You need the alias of your certificate (and not the owner name) to sign your jar. To obtain it execute the following command:

keytool -list -v -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg "provider.cfg" -storepass "[your_pin]"

3. Once you got the alias, the provider.cfg and bundle.pem files ready, just sign your jar with the following command:

jarsigner -keystore NONE -certchain "bundle.pem" -tsa "http://time.certum.pl" -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg "provider.cfg" -storepass "[your_pin]" "[your_code].jar" "[your_alias]"

Personally, I use an Ant script to sign my application jar files. See signjar task from ANT project.

Answer 3

I'm waiting for other users feedback to be sure that it works for them also.

Based on JaNeLA for the file - valid JNLP. Most importantly known publisher for WikiCleanerTest..

So there is one result of 'seems to work here for identifying the publisher'. Great work and thanks for description of the process.

Works so much better than the one I looked at before. :P

---

Jarsigner -verify

s     292828 Sun Oct 20 17:57:58 EST 2013 META-INF/MANIFEST.MF
      292645 Sun Oct 20 17:57:58 EST 2013 META-INF/WPCLEANE.SF
        2017 Sun Oct 20 17:57:58 EST 2013 META-INF/WPCLEANE.RSA
           0 Sun Oct 20 17:57:52 EST 2013 META-INF/
           0 Wed Feb 11 15:04:50 EST 2009 META-INF/maven/
           ..
           0 Sun Oct 20 17:57:32 EST 2013 org/xnap/commons/i18n/
sm      2837 Thu Sep 09 16:00:54 EST 2004 META-INF/info.xml
..
sm       214 Wed Feb 11 00:57:02 EST 2009 org/xnap/commons/i18n/LocaleChangeListener.class

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Warning: 
This jar contains entries whose certificate chain is not validated.

Re-run with the -verbose and -certs options for more details.

I understand the warning:

This jar contains entries whose certificate chain is not validated.

..can be ignored.

JaNeLA Report

JaNeLA shows one error.

JaNeLA Report - version 11.05.17

Report for http://site4145.mutu.sivit.org/WikiCleaner/WikiCleaner.jnlp

cvc-complex-type.2.4.a: Invalid content was found starting with element 'homepage'. One of '{description, icon, offline-allowed, shortcut, association, related-content}' is expected.
cvc-complex-type.2.4.a: Invalid content was found starting with element 'homepage'. One of '{description, icon, offline-allowed, shortcut, association, related-content}' is expected.

XML encoding not known, but declared as utf-8
Codebase + href 'http://site4145.mutu.sivit.org/WikiCleaner.jnlp' is not equal to actual location of 'http://site4145.mutu.sivit.org/WikiCleaner/WikiCleaner.jnlp'.
Desktop icons were subject to bug nnnn in earlier J2SE versions
Optimize this application for off-line use by adding the <offline-allowed /> flag.
'short' description is longer than 'default' description.
Downloads can be optimized by specifying a resource size for 'WikipediaCleaner.jar'.
The resource download at WikipediaCleaner.jar can be optimized by removing the (default) value of download='eager'.
Lazy downloads might not work as expected for WikipediaCleaner.jar unless the download 'part' is specified. 
Resource type png of resource commons-nuvola-web-broom.png is not one of the allowable types of gif, jpg, jpeg.
Downloads can be optimized by specifying a resource size for 'commons-nuvola-web-broom.png'.
Icon loading & use can be optimized by specifying the width and height for commons-nuvola-web-broom.png

See the JNLP validated, and a corrected version with tweak, below.

Launch

But here is the real bad news:

Here are some details of the certificate:

• Nicolas Vervelle (Nicolas Vervelle)

  • Subject: CN=Nicolas Vervelle, OU=WikipediaCleaner, O=WikipediaCleaner, L=Paris, ST=France, C=FR

Out Of Date Java

Here is a strange warning I do not understand..

The app. is requesting 1.5.0+ so any version 1.7+ should be accepted without question.
It claims to be requesting 1.6 (probably because I have no 1.5 run-time installed). The only thing I can think is triggering the warning is the inclusion of a micro-version, which is unnecessary.

JNLP

Here is the JNLP validated above:

<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.5+" codebase="http://site4145.mutu.sivit.org/WikiCleaner" href="WikiCleaner.jnlp">
  <information>
    <title>WPCleaner</title>
    <vendor>User:NicoV</vendor>
    <description>WPCleaner</description>
    <description kind="short">A tool for Wikipedia maintenance</description>
    <homepage href="http://en.wikipedia.org/wiki/WP:WPCleaner"/>
    <icon href="commons-nuvola-web-broom.png"/>
    <shortcut>
      <desktop/>
    </shortcut>
  </information>
  <security>
    <all-permissions/>
  </security>
  <resources>
    <j2se version="1.5.0+" java-vm-args="-Xmx512M"/>
    <jar href="WikipediaCleaner.jar" download="eager" main="true"/>
  </resources>
  <application-desc main-class="org.wikipediacleaner.WikipediaCleaner"/>
</jnlp>

Here is a suggested replacement. It is valid according to JaNeLA (bar warnings that we can ignore). It also includes another tweak to the minimum version attribute.

<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.5+" codebase="http://site4145.mutu.sivit.org/WikiCleaner" href="WikiCleaner.jnlp">
  <information>
    <title>WPCleaner</title>
    <vendor>User:NicoV</vendor>
    <!-- Should be here.. -->
    <homepage href="http://en.wikipedia.org/wiki/WP:WPCleaner"/>
    <description>WPCleaner</description>
    <description kind="short">A tool for Wikipedia maintenance</description>
    <icon href="commons-nuvola-web-broom.png"/>
    <shortcut>
      <desktop/>
    </shortcut>
  </information>
  <security>
    <all-permissions/>
  </security>
  <resources>
    <!-- the micro-version request might be triggering the 
    Out-Of-Date Java version warning -->
    <j2se version="1.5+" java-vm-args="-Xmx512M"/>
    <jar href="WikipediaCleaner.jar" download="eager" main="true"/>
  </resources>
  <application-desc main-class="org.wikipediacleaner.WikipediaCleaner"/>
</jnlp>

Answer 4

On Linux, the following procedure worked for me. It is based on the answer by Eric David.

Get your Certificate

Go on the "Certum Certification" website in the "OpenSource Code Signing" section. Buy a certificate and follow the creation procedure.

Get the Public Key for Code Signing

Get the Public Key of Certum Code Signing CA, probably the CA SHA2 key cscasha2.cer.

Convert the certificate to pkcs12 format

• Import your own certificate (the one you got from Certum) into Firefox:
  menu item settings - advanced - certificates - show certificates.
• Import the CA SHA2 puplic key (used by Certum to sign your certificate):
  tab cert. authorities - import.
• Verify. It should tell that it has been verified:
  tab own certificates - show.
• Export the certificate:
  tab own certificates - save - as pkcs12 (e.g. to mycert.p12)

Convert from pkcs12 format to jks format

Find the alias used in your pkcs12 file. It will be similar to "unizeto technologies s.a. id von open source developer, YOUR NAME".

keytool -list -v -storetype pkcs12 -keystore mycert.p12 > out.txt
grep Aliasname out.txt

Then convert the pkcs12 file into java's jks format. This step could be omitted, but once done it is convenient.

keytool -importkeystore -srckeystore mycert.p12 -srcstoretype pkcs12 -srcalias "ALIASNAME" -destkeystore mycert.jks -deststoretype jks -deststorepass PASSWORD -destalias SHORTALIAS

Sign your jar file

To avoid warnings to the webstart user, the jar manifest file should contain the following attributes:

• Application-Name: APPNAME
• Permissions: all-permissions
• Codebase: URL
• Application-Library-Allowable-Codebase: URL

Sign your jar file using the following command:

jarsigner -keystore mycert.jks -tsa http://time.certum.pl FILENAME.jar SHORTALIAS

Answer 5

I solved the same problem on mine today with this :

Manifest-Version: 1.0
Trusted-Library: true
Application-Library-Allowable-Codebase: *
Trusted-Only: false
Application-Name: My app
Permissions: all-permissions
Created-By: 1.6.0_16 (Sun Microsystems Inc.)
Caller-Allowable-Codebase: *
Codebase: *

Answer 6

As mentioned here, to remove the UNKNOWN PUBLISHER warning you can add the certificate you used to sign the jar into the Signer Jar of the Java Control Panel: Configure Java -> Security -> Manage Certificates -> Signer Jar option -> Import.