Feb 21, 2024

Code Signing In Java

Introduction

This article will be the default article after the implementation of the new Minimum Requirements for Code Signing on February 1, 2017.

Prerequisites

 This guide assumes that you have already:

•  Picked up and installed your certificate onto your security token
•  Installed the Java JDK.  
•  Administrative rights may be needed depending on the permissions set to the Java JDK bin folder.

Signature Setup

1. In order to enable the JDK to access the security token, you will first need to create a configuration file. Open any plain-text editor and create a file named eToken.cfg. The file should contain 2, possibly 3, lines:
   
   name=eToken
library=c:\WINDOWS\system32\eTPKCS11.dll
slot=3 
   Note: The default slot number when left unspecified is 0. SafeNet eToken 5100 will automatically assign to slot 0, therefore there will be no need for the slot line in the .cfg file. However this may need to be changed depending on the number of eTokens/SmartCard readers installed. The default slot number for the SafeNet Ikey 4000 is slot 3. The slot line will be required when using a SafeNet iKey 4000.
2. Save this file in the JDK bin folder, by default it is:
   
   C:\Program Files (x86)\Java\jdk1.7.0_67\bin 
3. Open the command prompt: Start > Run > cmd
    
4. Navigate to your Java JDK Bin Folder:
   
   cd C:\Program Files (x86)\Java\jdk1.7.0_67\bin 
5. In order to use the token to sign you will need to find the alias of your private key. This will enable you to reference the proper certificate when signing. Run the following command from the bin folder:
   
   keytool -v -list -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg
   Enter keystore password: “Your Token Password”
   
   Error Note: If you receive the following error: “java.security.KeyStoreException: PKCS11 not found” at this point. There are 2 potential issues with the configuration:
   • set the slot number to zero in your eToken.cfg file (slot=0). Attempt to run the list command again, incrementing the slot number by 1 with each iteration of the error. You should eventually receive the Enter KeyStore Password prompt that will accept your SafeNet Token passphrase. *See: Signature Set Up Step 1.
   • SafeNet Drivers are not installed correctly. Ensure the proper drivers are installed.
6. The output is made up of the key alias, the key type, and the certificate fingerprint and other Certificate details. We will need the alias of the Code Signing Certificate to actually sign the file.
   
   le-d0e453de-66db-414a-8fa8-0a07cfad66b5, PrivateKeyEntry, Certificate fingerprint (SHA1): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
    
   Fingerfrint (SHA1): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
   Alias Name: le-d0e453de-66db-414a-8fa8-0a07cfad66b5​​​​​​​
   
   Note: If there are more than 1 Certificate you are using and If you are unsure of the Certificate, please check the fingerprint found on the output.
7. If there is more than one certificate on your token, you may need to discern which certificate we will be using. Open the Safenet Authentication Client, press the gear icon at the top:
   
   
8. Find your installed GlobalSign Code Signing Certificate, and double-click it. This will pull up the certificate details. Select the Details tab, scroll to the bottom and the Thumbprint will be there: 
   
   
9. Match the certificate thumbprint with the proper alias on your output. In this case it will be the first entry:
   
   le-d0e453de-66db-414a-8fa8-0a07cfad66b5, PrivateKeyEntry, Certificate fingerprint (SHA1): 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 
10. Copy the alias (e.g. le-d0e453de-66db-414a-8fa8-0a07cfad66b5) for use in our next command.

Signing a .Jar File

1. Now that we have successfully accessed the token and received our certificates alias, we can sign the .jar file. You will need to place the .jar file you are signing into the bin directory.
    
2. In the command line, navigate to the Java SDK bin directory, (e.g. C:\Program Files (x86)\Java\jdk1.7.0_67\bin)
   
   The command used to sign is:
   
   jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.globalsign.com/tsa/r6advanced1 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg eToken.cfg test.jar "le-d0e453de-66db-414a-8fa8-0a07cfad66b5" 

Note: Timestamping your Code is extremely important and is highly recommended for every piece of code that you sign. This timestamp will allow the file that you sign to remain valid long after the certificate itself has expired.

Common Errors

1. Warning: The signer's certificate chain is not validated.
   
   You will need to import the GlobalSign Standard Code Signing Intermediate Certificate onto your token to ensure the signature chains properly. Note: You need to import the corresponding intermediate certificate according to your certificate type.