Labels

Android (1) bash (2) boost (2) C (34) C++ (2) cheatsheet (2) CLion (6) css (3) Debian (33) DL (17) Docker (2) Dreamweaver (2) Eclipse (3) fail2ban (4) git (5) GitHub (4) Hacking (3) html (8) http (1) iOS (1) iPad (1) IRC (1) Java (31) javascript (3) Linux (167) Mac (19) Machine Learning (1) mySQL (48) Netbeans (4) Networking (1) Nexus (1) OpenVMS (6) Oracle (1) Pandas (3) php (16) Postgresql (8) Python (9) raid (1) RedHat (14) Samba (2) Slackware (47) SQL (14) svn (1) tar (1) ThinkPad (1) Virtualbox (3) Visual Basic (1) Visual Studio (1) Windows (2)

Sunday, 1 December 2019

Code signing with Certum and SimplySign

What follows are my own personal notes relating to the purchase, installation and use of Code signing with Certum and SimplySign.

Sensitive or personal information has been removed from this post.




1 Purchase certificate and verify details (details not included here)

2 Install SimplySign software on mobile and desktop (details not included here)

3 Install certificate TODO - UPDATE: Not actually required with SimplySign (I don't think)

4 Follow steps below:



###############

PRE SIGNING ACTIVITY

BUILD APPLICATION WITH SELF SIGNED CERTIFICATE IN NETBEANS
* Firstly, try building unsigned!!!

###############


1 CREATE eToken.cfg file in same folder as jar file.

CONTENTS OF eToken.cfg file

name=Crypto3PKCS
library="//usr//local//lib//libSimplySignPKCS.dylib"
slot=-1


2 VERIFY eToken.cfg

keytool -v -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg


3 CREATE bundle.pem (contents below)*****
(first MY certificate and second the Certum certificate [Certum Code Signing CA SHA2])
AND copy bundle.pem file to jar folder.

4 SIGN jar (ALTERNATIVELY SEE SCRIPT BELOW *1)

jarsigner -keystore NONE -certchain "bundle.pem" -tsa "http://time.certum.pl" -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg "eToken.cfg" -storepass "removed" "application.jar" "serialNumberRemoved"

NOTE: Last entry in the above is serial number of the certificate AND must be in UPPER CASE.


5 VERIFY jar (OPTIONAL)

jarsigner -verify -verbose -certs -keystore NONE -tsa "http://time.certum.pl" -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg "eToken.cfg" -storepass "removed" "application.jar" "serialNumberRemoved"


UPLOAD NEW JAR FILE
NO NEED TO UPLOAD JNLP FILES OR LIB FOLDER (the latter needs to be further verified)
If lib files (jars) are signed by a different certificate, then sign them also and see here for alternative options.


*****

-----BEGIN CERTIFICATE-----
removed
removed
removed
removed
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
removed
removed
removed
removed
-----END CERTIFICATE-----

Note: serialNumber is from image below;


*1

See here for a script to automate or at least simplify the signing and verification of jar files.
Posted by at
Labels:

No comments:

Post a Comment

Note: only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)