LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 12-07-2018, 05:02 AM   #1
plisken
Member
 
Registered: Dec 2001
Location: Scotland
Distribution: Slackware 9.1/13.37/14/14.2 RH 6.2/7/EL6.5 SuSE 8.2/11.1
Posts: 478

Rep: Reputation: 30
Trouble installing and using a code signing certificate


Looking for some assistance with installing and using code signing certificates?

Specifically, for the moment, this is in a mac environment and I’m looking to sign a jar file.

I’ve had little in the way of support from the company from which I bought the certificates, at least that I was able to understand. Google has only served to further confuse and none of my inner circle are able to offer any advice.

So, where am I at, well, I have a couple of certificates but have only activated one, so for the time being I have downloaded two files:

.cer

.pem

I have an application from the provider, which seems to show the certificate as valid: [see one of attached images]

From here, I have little to no clue, though I have tried various combinations of trying to use keytool to import the certificate into my keystore and on running keytool –list I get: [see one of attached images]

And an example of trying to sign a random jar results in: [see one of attached images]

Any help or advice would be greatly appreciated.

Apologies for not being able to display the images inline.
Attached Thumbnails
Click image for larger version

Name:	Screen Shot 2018-12-07 at 09.31.17.png
Views:	8
Size:	43.3 KB
ID:	29109   Click image for larger version

Name:	Screen Shot 2018-12-07 at 09.37.16.png
Views:	8
Size:	49.9 KB
ID:	29110   Click image for larger version

Name:	Screen Shot 2018-12-07 at 09.41.34.png
Views:	8
Size:	48.5 KB
ID:	29111  
 
Old 12-07-2018, 02:46 PM   #2
NevemTeve
Senior Member
 
Registered: Oct 2011
Location: Budapest
Distribution: Debian/GNU/Linux, AIX
Posts: 3,629

Rep: Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112
Well, it would be a good thing if you had a *.p12 file (let's say jsign.p12), with a password stored in another file (say jsign.pwdfile), and it contained a private key and certificate with a knows alias (say jsign_alias).

In this case you could do this:
Code:
jarsigner -keystore jsign.p12 -storepass:file jsign.pwdfile \
    -tsa http://timestamp.digicert.com signed.jar jsign_alias

jarsigner -verify -verbose signed.jar
The second command only checks/describes the result.

You can create such a jsign.p12 file yourself, for test purposes (as it won't be "official" only "self-signed":
Code:
	keytool -genkeypair -alias jsign_alias -keyalg RSA -keysize 2048 -validity 2000 \
	    -keypass:file jsign.pwdfile \
	    -dname 'cn=Misty Waterflower, o=Gym, L=Cerulean, st=Kanto, c=PK' \
	    -keystore jsign.p12 -storetype PKCS12 -storepass:file jsign.pwdfile
Edit: you seem to already have a ~/.keystore file. Does it contain a suitable key+cert pair?
Code:
keytool -l -keystore ~/.keystore

Last edited by NevemTeve; 12-07-2018 at 03:15 PM.
 
1 members found this post helpful.
Old 12-08-2018, 12:50 AM   #3
NevemTeve
Senior Member
 
Registered: Oct 2011
Location: Budapest
Distribution: Debian/GNU/Linux, AIX
Posts: 3,629

Rep: Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112
Mind you, the keystore doesn't have to be a p12 file (meaning pkcs12), it can be JKS format as well; the signing is the same, the creation of self-signed certificate:
Code:
keytool -genkeypair -alias jsign_alias -keyalg RSA -keysize 2048 -validity 2000 \
    -keypass:file jsign.pwdfile \
    -dname 'cn=Ash Katchum, o=League, L=Palette, st=Kanto, c=PK' \
    -keystore jsign_jks.jks -storetype JKS -storepass:file jsign.pwdfile
(Conversion between the two format is also possible with 'keytool -importkeystore')

Back to your problem: your screen-shots suggest that you have imported your cert+key into ~/.keystore with alias mykey, but something went wrong.
Command 'keytool -list -v -alias mykey' should give more information, eg:
Code:
$ keytool -list -v -alias jsign_alias -keystore jsign.p12 -storepass:file jsign.pwdfile 
Alias name: jsign_alias
Creation date: 2018.12.08.
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Misty Waterflower, O=Gym, L=Cerulean, ST=Kanto, C=PK
Issuer: CN=Misty Waterflower, O=Gym, L=Cerulean, ST=Kanto, C=PK
Serial number: 67199b76
Valid from: Sat Dec 08 06:59:57 CET 2018 until: Thu May 30 07:59:57 CEST 2024
Certificate fingerprints:
	 MD5:  56:F1:C1:98:9E:1E:ED:7C:C0:34:CC:A2:C9:38:D7:D3
	 SHA1: F3:CE:BF:32:FD:D7:52:11:2D:9A:0E:CC:49:FB:CF:3D:19:59:B8:87
	 SHA256: B1:86:1B:DC:7A:B0:53:B9:D0:5E:C1:2F:44:D6:E6:5E:99:EF:19:15:25:3A:17:3B:EF:05:A1:1E:E8:FA:D3:54
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
or
Code:
$ keytool -list -v -alias jsign_alias -keystore jsign_jks.jks -storepass:file jsign.pwdfile 
Alias name: jsign_alias
Creation date: 2018.12.08.
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Ash Katchum, O=League, L=Palette, ST=Kanto, C=PK
projects@zsofi-laptop:~/javatest/jartest$ keytool -list -v -alias jsign_alias -keystore jsign_jks.jks -storepass:file jsign.pwdfile 
Alias name: jsign_alias
Creation date: 2018.12.08.
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Ash Katchum, O=League, L=Palette, ST=Kanto, C=PK
Issuer: CN=Ash Katchum, O=League, L=Palette, ST=Kanto, C=PK
Serial number: 5e30cf1b
Valid from: Sat Dec 08 06:39:45 CET 2018 until: Thu May 30 07:39:45 CEST 2024
Certificate fingerprints:
	 MD5:  A0:5C:E0:59:2B:C1:FC:4D:C0:23:50:7C:0A:FB:65:0D
	 SHA1: 78:2F:7E:14:17:5A:09:32:38:05:E4:85:B3:F0:2A:47:07:3A:2B:2C
	 SHA256: AD:6F:69:0E:76:50:6A:83:FA:DC:B3:CD:51:C4:F8:3B:19:03:70:38:E1:70:C3:16:16:1C:C6:50:18:15:22:09
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Last edited by NevemTeve; 12-08-2018 at 01:23 AM.
 
Old 12-08-2018, 10:42 AM   #4
NevemTeve
Senior Member
 
Registered: Oct 2011
Location: Budapest
Distribution: Debian/GNU/Linux, AIX
Posts: 3,629

Rep: Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112Reputation: 1112
Also, you can create a *.p12 file from a *.key.pem and a *.cert.pem file:
Code:
openssl pkcs12 -export \
 -in    ~/cert/default.cert.pem \
 -inkey ~/cert/default.key.pem  \
 -password file:jsign.pwdfile \
 -out trusted_signer.p12 -name jsign_alias
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: The creation of User, Certificate and Signing of CSR for Lemur Certificate Manager LXer Syndicated Linux News 0 11-28-2018 04:03 PM
DKIM signing using OpenDKIM not signing all emails Matt Penfold Linux - Server 0 05-13-2018 09:45 PM
Trying to create a Certificate Signing Request with my Certification Authority tsbah Linux - Security 7 03-19-2017 10:17 AM
Verify return code: 19 (self signed certificate in certificate chain) tikit Linux - Server 1 04-10-2012 06:21 PM
[SOLVED] OpenSSL: Signing Client Certificate - Help Needed peridian Linux - Security 2 02-20-2011 08:32 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 09:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration