Monday, April 19, 2010

Tucows/Comodo code signing certificate for Java

I might as well document this process out here for others.

Comodo through Tucows is the known cheapest way to sign Java code. So that's what we went for. In addition to parting with $75, plan on a day of finding verification documents and keeping the ball in their court.

The process is supposed to go like this:
  1. Signup with Tucows to be an author. (free)
  2. Use their "author resources" to order a Comodo certificate.
  3. Verify you are who you say you are with Comodo.
  4. Download certificate and start signing your Java jars.
The problem is, the flow between Tucows and Comodo is very loose. It takes 2-3 days to get handed off to Comodo after you start your order with Tucows. Then it takes a day for Comodo to start asking you questions. After that, from our experience, count on bouncing information to Comodo atleast 6 times over the course of 3 days. In our case, our $75 code signing probably cost us $500 if you include our time. On the other hand, it's probably a hastle with everyone.

Problem #1:
It seems for their Corporate verification, it's fairly indepth. I think we were able to be verified with: Articles of Incorporation, Acceptance of S-Corp, company bank statement, and phone bill.

Problem #2:
We were just about to move HQ to a new corporate address. I gave them our new corporate address, none of our documents support that address. So I had to tell them to change my order's address to our existing/current corporate address.

Problem #3:
We don't have a land line in our business name. We have a Google Voice number that forwards to our cell phones. This sounds all smart and modern, but caused us problems in this case. We had to jump through additional hoops to get them to accept our cell phone bill.

Once you get all the OKs, they finally send you a link to "collect your code signing certificate." BTW, you are supposed to use the same computer and browser from start to finish. It's doing some certifying magic. So you go to the collection link, and your browser (or javascript) has a popup that a certificate is installed. Now you just stare at the page that doesn't have any forward navigation.

So, you'll probably do what I did and search for how to USE your Comodo certificate. Google tells me some good things that aren't obvious from the Comodo page.
  • https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=419
  • https://support.comodo.com/uploaded/UsingComodoAuthenticodeCertificateforJava.pdf
Those docs are pretty Windows centric. You just gotta love screen captures of a DOS box. (We do things a little different in the Linux/Unix world where we can actually copy TEXT out of a command line easily.)

After following how to export the certificate out of Firefox, I had a P12 file. My experience was something like this:

wget  http://wiki.austriangrid.at/files/PKCS12Import.java
javac PKCS12Import.java
java PKCS12Import srcbin-code-signing-certificate.p12 keystore.ks
jarsigner -keystore keystore.ks classes.jar "srcbin, inc's the usertrust network id"
jarsigner -verify -certs classes.jar

(Or maybe I should show you that in 4 or 5 screen shots, put in a document and covert it to PDF)

3 comments: