Main /
JavaCodeSigningCertificatesForBerkeleyBerkeley now provides code signing certificates, but using them is a little tricky because the certificate ends up in the browser and needs to be backed up as a PKCS12 file and converted to a JKS format keystore that can be read by the See https://wiki.eecs.berkeley.edu/ptolemy/Ptolemy/Certificates for the current Ptolemy II code signing certificate. Get the certificatehttps://calnetweb.berkeley.edu/calnet-technologists/calnet-incommon-comodo-certificate-service says: For code signing certificates:
Contact calnet-pki@lists.b.e and we can work with you on provisioning your code signing certificate.
I emailed the above alias and the response was asked if a browser certificate would work and to provide my email address and name that would appear in the certificate. I was told that I would get an invitation to generate a private key and then a second email where I should pick up my signed public key using the same browser. I responded with my email address and name. I then received an email message from InCommon telling me to go to a URL and generate a private key. I did that. I then received an email message from InCommon telling me that my certificate had been created. I went to that URL and my certificate was added to the certificates of my browser. Export the certificate from FirefoxIn Firefox on the Mac, to view the certificate, do Preferences -> Privace & Security -> Security -> View Certificates. The certificate will have a recent date on it and say something like "University of California at Berkeley's Internet 2 id". In the Certificate Manager window of Firefox, select the certificate and click on Backup and save the file with a This password is also used when adding the cert to the keystore below, so choose a password that can be shared with others if necessary To view the contents of the backup, use the command below. The password is the password that was entered when the certificate was saved. bash-3.2$ keytool -list -keystore ucb.p12 -storetype PKCS12 Enter keystore password: Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry university of california, berkeley (regents of the univ. of ca)’s internet2 id, May 16, 2018, PrivateKeyEntry, Certificate fingerprint (SHA1): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX If you get keytool error: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded then the password you entered for keytool does not match, see http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6974037 One important thing to note is that the alias for this key is keytool -v -list -keystore ucb.p12 -storetype PKCS12 Enter keystore password: Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry Alias name: university of california, berkeley (regents of the univ. of ca)’s internet2 id Creation date: May 16, 2018 Entry type: PrivateKeyEntry ... The above command will also list the email address that was supplied: ... #10: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ RFC822Name: xxx@berkeley.edu ] Import the certificate into your keystoreUse the command below to convert the PKCS12 file created by Firefox to a JKS file that can be used by keytool -importkeystore -srcalias "university of california, berkeley (regents of the univ. of ca)’s internet2 id" \ -srckeystore jnlp-ptolemy-software-cert.p12 -srcstoretype PKCS12 -destkeystore ptkeystore.jks -destalias ptolemy The key features are
View the contents of bash-3.2$ keytool -list -keystore ptkeystore.jks -alias ptolemy Enter keystore password: ptolemy, Dec 14, 2016, PrivateKeyEntry, Certificate fingerprint (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX Use the certificateWe create a jar file and sign it. bash-3.2$ echo "This is my test file" > README.txt bash-3.2$ jar -cf test.jar README.txt bash-3.2$ jarsigner -verbose -keystore ptkeystore.jks test.jar ptolemy Enter Passphrase for keystore: updating: META-INF/PTOLEMY.SF updating: META-INF/PTOLEMY.RSA signing: README.txt jar signed. Warning: No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate \ this jar after the signer certificate's expiration date (2019-12-14) or after any future revocation date. bash-3.2$ Resigning Jar filesWhen the certificate expires, we need to resign the jar files. I Resign! Resigning Jar Files with Initium. by Doug Lyon outlines the solution:
Get a new certificateSee above. Load the certificate into our keystore.For Ptolemy, this is Back up the jar files[root@moog books]# pwd /home/www/ptweb/books [root@moog books]# tar -zcf Systems23Jan2015.tar.gz Systems Unjar the previously signed .jar filesA sample script is at http://ptolemy.eecs.berkeley.edu/books/updatejars #!/bin/sh # See http://chess.eecs.berkeley.edu/ptexternal/wiki/Main/JavaCodeSigningCertificatesForBerkeley if [ ! -d unjar ]; then mkdir unjar fi cd unjar echo "In `pwd`" # In 2014, signed jar files need a manifest that has a Permissions attribute. # See http://docs.oracle.com/javase/tutorial/deployment/jar/secman. # http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/manifest.html#permissions # http://docs.oracle.com/javase/tutorial/deployment/jar/modman.html JNLP_MANIFEST=jnlp_manifest.txt echo "Application-Name: Ptolemy II" > $JNLP_MANIFEST echo "Permissions: all-permissions" >> $JNLP_MANIFEST JVM=/usr/lib/jvm/latest jarsigner=$JVM/bin/jarsigner jar=$JVM/bin/jar files=`find .. -name "*.jar"` for file in $files do rm -rf tmp mkdir tmp cd tmp echo " In `pwd`" $jar -xf ../$file rm -rf META-INF newjar=`basename $file` echo $newjar rm -f /tmp/$newjar $jar -cf /tmp/$newjar . # Avoid message about missing a "Permmissions" manifest attribute. # Use the Oracle jar and avoid jarsigner: unable to sign jar: java.io.IOException: invalid header field $jar -umf ../$JNLP_MANIFEST /tmp/$newjar # Index it and avoid "This jar contains unsigned entries which have not been integrity-checked." $jar -i /tmp/$newjar # /usr/bin/jarsigner will report: jarsigner error: gnu.javax.crypto.keyring.MalformedKeyringException: incorrect magic TSA="" # Set TSA and use a timestamp and avoid: # # "This jar contains signatures that does not include a # timestamp. Without a timestamp, users may not be able to # validate this jar after the signer certificate's expiration # date (2019-12-14) or after any future revocation date." # # See http://certhelp.ksoftware.net/support/solutions/articles/17164-how-do-i-sign-and-timestamp-a-java-jar-file- # For now, skip this because it takes too long. #TSA="-tsa http://timestamp.comodoca.com/rfc3161" $jarsigner -storepass `cat ~/.certpw` -keystore /users/ptII/adm/certs/ptKeystore -keypass `cat ~/.certpw` $TSA /tmp/$newjar ptolemy if [ ! -z "$TSA" ]; then # https://support.comodo.com/index.php?/Knowledgebase/Article/View/68/0/time-stamping-server echo "Comodo asks that we sleep for 15 seconds between calls." sleep 15 fi # /usr/bin/jarsigner will report "jarsigner: Signature Block missing for PTOLEMY". Use Oracle JDK1.7 jarsigner $jarsigner -verify /tmp/$newjar cd .. echo "Copying /tmp/$newjar to $file" cp /tmp/$newjar $file done
|