strict warning: Only variables should be assigned by reference in /home/itechpros/servoyguy.com/sites/all/modules/links/links.inc on line 1434.

How do I sign my Servoy plugins and beans?

Servoy has some tutorials on their wiki at: http://wiki.servoy.com/display/tutorials/JAR+signing  However, in this example, I'm going to show using a different certificate provider specifically for code signing purposes.  For this, we will get a Code Signing Certificate from Comodo. They have been in the JRE by default since Windows 98, so you shouldn't have any problems with it.   I use https://secure.ksoftware.net to purchase the certificate because they offer it as a reseller at a discount of $99 per year, or even cheaper if you buy a multi-year.

 

1.  Open FireFox (yes, firefox specifically), and navigate to https://secure.ksoftware.net/code_signing.html

2.  Go through the order form entering your information.  It will automatically generate the code signing request from your browser.

3.  You will get an email from Comodo and they will ask for your information to confirm your identity of the SSL cert.  For a business, your Articles of Inc or Business License with do.  For an individual, you just need drivers license or passport.

4.  Once it has been validated Comodo will send you a link to retrieve your cert.  Again, use Firefox to retrieve the certificate. (it will actually install it into your browser)

5.  Next, export the cert to a PFX file.  Instructions here: http://blog.ksoftware.net/2011/07/exporting-your-code-signing-certificate-to-a-pfx-file-from-firefox/  .  The PFX file contains your Key and your Certificate all in one convenient file.  You will be asked for a password when you export it.  Remember what it is.

6. Double click on the exported file, and it will attempt to automatically install it into your keystore (where java saves your certs).

7.  Now that it is in the keystore, we need to type in a java command to find out what the alias name of our cert is.  Open up a Terminal (mac) or Command Window (Windows), and navigate to where your pfx file was exported.  Then type this command:

keytool -list -storetype pkcs12 -keystore mycert.pfx -v

(replacing mycert.pfx with the name of your certificate)

In the top of the output, it will display the alias of your cert.  For example, mine is: "itech professionals, inc.'s the usertrust network id".   Copy that and save it somewhere.

 

At this point, you have your keystore in PFX format.  Next step depends on what you want to do.  If you are a developer, and want to manually sign your own plugins/beans, follow these steps (A).  If you just want to sign the jars on your application server with your own certificate, follow steps (B).

 

(A)  Plugin/Bean Developers: Sign your own plugins and bean

8. Now (finally), lets sign a jar file.  Again, we'll need terminal to do this.  If you have your cert and jar in the same folder, open up Terminal or Command window and navigate to that directory.  Then run this command:

jarsigner -storetype pkcs12 -keystore mycert.pfx myapp.jar "aliasname"

(replacing mycert.pfx with the name of your cert, and myapp.jar with the name of the jar to sign, and aliasname with the alias name of your cert from the previous step.

After you runt he command, you will be prompted for a password.  Enter the password that you used when you export the key from Firefox.

Thats it.  The jar is signed and ready to be used

 

(B)  Application Server Jar Signing using Signtester tool

The signtester tool requires the keystore to be in a standard JKS format, instead of the bundled PFX format.  So, you need to convert the keystore.  The easiest way is to use Portecle.  Download here:  http://portecle.sourceforge.net  

8. Open Portecle (double click, or run with java -jar portecle.jar )

9.  Open your mycert.pfx file, provide the password

10. Click on Tools/Change KeyStore Type/JKS menu.  (If you don’t want to use the default password (which is password), click on the menu keystore password)

11.  Save it, and you now have mycert.jks

Thats it.  You can now take that jks keystore file and us it with the signtester tool here: https://www.servoyforge.net/projects/signtester