Signing .JAR files using OpenSSL for Windows

[AUser ZUser]

Hello
Can someone please help me with the following question.
I have a code signing certicate in my X509 store "LocalMachine\My" which I can use for signing PowerShell scripts for example
Set-AuthenticodeSignature ./MyScript.ps1 -certificate ( gci cert:\LocalMachine\My -CodeSigning)
No worries there
>From the information I have re "AthentiCode" as above, the only file formats it currently supports are

• .cab files
• .cat files
• .ctl files
• .dll files
• .exe files
• .ocx and

Now the UNIX guys also need their .JAR files signing (they do not have the code signing cert)
So I want thinking along the following lines but need some help please
I downloaded OpenSSL for Windows and Install
What I want to do use OpenSSL from the Windows command line to sign a .jar file
I do not want to expose the code signing certificate by having is as a flat file (e.g. CodeSigningCert.pfx) on the file system, rather I would prefer  to keep it in the X509 store (whereby the private key is not exportable) and refer to the cert on the OpenSSL command line when signing the .jar file.
Is this possible? can any one please show me a few command line examples? if this is not possible is there another utility I can use to achive the above
Thanks All
AAnotherUser__

---

[Porter, Andrew]

For jars you need to use the jarsigner utility in the Java Development Kit (JDK). This can access certs in the Windows personal and root certificate stores, see

 

http://www.oracle.com/technetwork/articles/javase/security-137537.html

 

using "Windows-MY" or "Windows-ROOT" for the KeyStore parameter instead of the name of a keystore file. 

 

Andrew

---

 

[Benny Baumann]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

Am 01.09.2014 16:17, schrieb AUser ZUser:
> Hello Can someone please help me with the following question. I
> have a code signing certicate in my X509 store "LocalMachine\My"
> which I can use for signing PowerShell scripts for example
> Set-AuthenticodeSignature ./MyScript.ps1 -certificate ( gci
> cert:\LocalMachine\My -CodeSigning) No worries there
>> From the information I have re "AthentiCode" as above, the only
>> file
> formats it currently supports are
>

> * .cab files * .cat files * .ctl files * .dll files * .exe files *

> .ocx and
>
> Now the UNIX guys also need their .JAR files signing (they do not
> have the code signing cert) So I want thinking along the following
> lines but need some help please I downloaded OpenSSL for Windows
> and Install What I want to do use OpenSSL from the Windows command
> line to sign a .jar file I do not want to expose the code signing
> certificate by having is as a flat file (e.g. CodeSigningCert.pfx)
> on the file system, rather I would prefer to keep it in the X509
> store (whereby the private key is not exportable) and refer to the
> cert on the OpenSSL command line when signing the .jar file.

For JAR signing you might want to refer to [1] - the things written
there are not specific to CAcert, but give a general outline.
> Is this possible?
Not without exposing it on the filesystem as far as I know. JarSigner
(the Tool from Java) wants to have it in its own keystore, which is a
file on disk.

> can any one please show me a few command line examples?

Sure. Have a look at the link I gave.

> if this is not possible is there another utility I can use to
> achive the above

See above.
> Thanks All AAnotherUser__

Regards,
BenBE.

[1]
http://wiki.cacert.org/CodesigningCert#How_can_I_use_my_code_signing_certificate.3F_.28java_example.29
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCgAGBQJUBWV0AAoJEPHTXLno4S6tNWoP/2kGhOZ+Lmi3dpzp88tayG5Q
nx4Tfyk8GyjoWwxOQ0Vgfrq6yf157AqWjmXEQ9fk/1vT7cW5mdlAfOI5mAcDRIzW
ED+gB9x7Ch/GP6f7T8i985h9pDpmFX/8QZDucRr4phEYJxNERvC+jjNIscN+lY8U
M230hfUgGZdlQ7OtPX0Jvy+frNG0c/hqrFSfR3xQNkEyh1OAcmRUwDjoW7kk4STJ
da+cLj1mIRXEIkTMed0VpDEM0L58ZEbx5OsXNwXvFiItGDsO28YH4uvQ+RvQA8Km
hUKfEnxnVHPGJJ77PTbYHtvYQnmZ0iz5kuA3ORM8RyknKtL8/Gtr6cJWva60xwyg
isnd45OlHhj74wH8PI3HT3snvv1rKIZG60SYV4v48Qk790Zuy6FH3h8VbHn255Mw
n0NDyhFwl3vzOnoE92MFpSXfiS6z0oz+YLKd7o4ZWGJe/pog9vy0BweNMBfls9tI
y+xcARivHcsqxB1BdTZ+NIcxFzHwxXeGQyeVyMDeyZz8/hF7Sioqrwu+3agEEioC
tTk3da1ImQx6mo1zmxC52afqyIGaX7qTVfXnXeUVyoeDvl1tlJgeh93s4gQJKi52
nZG2jAqkx0oR5YHwHP+RlTXBD47PKGEl94ncCEF/6wneRKIx+jklmXvXFS7DPVR4
ZH2JtDxR77LKW+0Fx1z8
=W8pg
-----END PGP SIGNATURE-----
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

[Jakob Bohm]

On 01/09/2014 16:17, AUser ZUser wrote:

>
>
> Hello
> Can someone please help me with the following question.
> I have a code signing certicate in my X509 store "LocalMachine\My" which I can use for signing PowerShell scripts for example
> Set-AuthenticodeSignature ./MyScript.ps1 -certificate ( gci cert:\LocalMachine\My -CodeSigning)
> No worries there
> >From the information I have re "AthentiCode" as above, the only file formats it currently supports are
>
> *
> .cab files
>
> *
> .cat files
>
> *
> .ctl files
>
> *
> .dll files
>
> *
> .exe files
>
> *
> .ocx and
>
> Now the UNIX guys also need their .JAR files signing (they do not have the code signing cert)
> So I want thinking along the following lines but need some help please
> I downloaded OpenSSL for Windows and Install
> What I want to do use OpenSSL from the Windows command line to sign a .jar file
> I do not want to expose the code signing certificate by having is as a flat file (e.g. CodeSigningCert.pfx) on the file system, rather I would prefer to keep it in the X509 store (whereby the private key is not exportable) and refer to the cert on the OpenSSL command line when signing the .jar file.

> Is this possible? can any one please show me a few command line examples? if this is not possible is there another utility I can use to achive the above
> Thanks All
> AAnotherUser__
>
> ------------------------------------------------------------------------
>
>
>
Note: I have successfully signed jar files (actually apk files,
which are jar files with different contents) using the openssl
command line, plus some scripting.

Basically, jar files are zip files containing extra files
describing the signature. There is a specification on Oracle's
site, but fundamentally:

META-INF/MANIFEST.MF contains hashes of all non-signature files
in the zip file, this is generated when you
sign the jar with any certificate (even an
unimportant dummy key). This is a text file.

META-INF/$signaturename.SF contains hashes of various parts of
MANIFEST.MF. This too is generated
when you sign the jar with any
certificate, even though there is one
copy of this file for each signature.
This is a text file.

META-INF/$signaturename.RSA is the output from running the following
command (this is a binary file):

openssl cms -sign -outform DER -noattr -md $hashname \
-signer $whatever.pem $engineorprivkeyoptions \
< $signaturename.SF > $signaturename.RSA

META-INF/$signaturename.DSA is the same as the .RSA file if your
certificate happens to use a DSA public key.

So one way (there are more advanced ways) is to sign with a dummy
(unimportant, no security) key using jarsigner, then extract
META-INF/$signaturename.SF, pass it to openssl with appropriate
engine options, then use a generic ZIP program to replace the
dummy $signaturename.RSA with the real one.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

[Goku Zeus]

Apknaji is a platform that offers a diverse and extensive collection of Android application files, commonly known as APKs, for users to download and install on their Android devices. https://apknajii.net/