Comodo through Tucows is the known cheapest way to sign Java code. So that's what we went for. In addition to parting with $75, plan on a day of finding verification documents and keeping the ball in their court.
The process is supposed to go like this:
- Signup with Tucows to be an author. (free)
- Use their "author resources" to order a Comodo certificate.
- Verify you are who you say you are with Comodo.
- Download certificate and start signing your Java jars.
Problem #1:
It seems for their Corporate verification, it's fairly indepth. I think we were able to be verified with: Articles of Incorporation, Acceptance of S-Corp, company bank statement, and phone bill.
Problem #2:
We were just about to move HQ to a new corporate address. I gave them our new corporate address, none of our documents support that address. So I had to tell them to change my order's address to our existing/current corporate address.
Problem #3:
We don't have a land line in our business name. We have a Google Voice number that forwards to our cell phones. This sounds all smart and modern, but caused us problems in this case. We had to jump through additional hoops to get them to accept our cell phone bill.
Once you get all the OKs, they finally send you a link to "collect your code signing certificate." BTW, you are supposed to use the same computer and browser from start to finish. It's doing some certifying magic. So you go to the collection link, and your browser (or javascript) has a popup that a certificate is installed. Now you just stare at the page that doesn't have any forward navigation.
So, you'll probably do what I did and search for how to USE your Comodo certificate. Google tells me some good things that aren't obvious from the Comodo page.
- https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=419
- https://support.comodo.com/uploaded/UsingComodoAuthenticodeCertificateforJava.pdf
After following how to export the certificate out of Firefox, I had a P12 file. My experience was something like this:
wget http://wiki.austriangrid.at/files/PKCS12Import.java
javac PKCS12Import.java
java PKCS12Import srcbin-code-signing-certificate.p12 keystore.ks
jarsigner -keystore keystore.ks classes.jar "srcbin, inc's the usertrust network id"
jarsigner -verify -certs classes.jar
(Or maybe I should show you that in 4 or 5 screen shots, put in a document and covert it to PDF)
This comment has been removed by the author.
ReplyDeleteMartin, thanks for the comment... I was looking for something cheap.
ReplyDeleteThanks !
ReplyDelete