Code signing certificate for Java Application

NOTE: Feb 23, 2020 – We have a certificate to sign Windows and tested. We already had the Apple DevId setup, just need to figure out how to use. This article is a recount of our experience as of today.

Background

I work for a company that has a desktop application written in Java that runs on Windows and MacOS. We could potentially run in Linux, and have tested our Mac version as such, but we should be compiling with Linux in mind for the future. But the basis of this article is more about the process I experienced trying to get our software code signed, so that when potential customers download the application from our website, both Windows Smart Screen and MacOS Gatekeeper don’t complain that the software is from an unrecognized source.

I spent a couple full days trying to research this process, as I am very new to software development life cycles. I’ll list some of the articles below that I found interesting for your further reading. From what I have gathered, we will need to get two code signing certificates, one for Windows version and one for the Mac. I tested to see what happens when we try to sign with the Windows certificate on the Mac version of the software, and the Mac Gatekeeper did not recognize us as an Identified Developer and thus we must use the Apple Developer Id in order to sign our MacOS version of the software.

Windows Code Signing Certificate

So, after much research and looking at various reviews of the major companies, we decided to try out SSL.COM for our certificate. The price was reasonable and the reviews reasonable as well. Some of the other major players were higher in price, and since we are a fairly young startup it made more sense to go with the more cost effective setup. We have the man hours to put towards staying on top of the process and getting this done, versus using one of the more expensive providers that have better automation of the process.

I started out on a Friday, while my boss was at a conference, which was one of my first mistakes. It is far quicker to have everyone that needs to be involved ready to take on any tasks that come up. But none the less, we needed to start the process and I was not wanting to wait an extra day. So I worked with our business manager who has the credit card info and a copy of the Articles of Incorporation. I started the account and added the payment details, and uploaded the Articles of Incorporation. Part of the setup process we are asked what our DUNS number is as well. This is to prove that we are a legitimate company.

Once I added those details, our account went into a Pending status while SSL.COM researched our company. After a couple hours, we received an email asking us to confirm our identity by responding to a phone call from them. Turns out that our DUNS information had my bosses cell phone number, so I needed to get ahold of him in the conference to be ready to respond. He did not have his laptop with him, so it was a little difficult for him to respond and not interfere with others at the conference. So thus I had to wait until he returned that afternoon.

Once he arrived, we attempted to click the link to start the call process. However, after two tries we realized that the automated call system may have not liked the phone number, as it was a Google Voice number that we were using. For all I know, it was Google that was blocking the access. Thankfully, the call back process offered an SMS solution, so we requested a verification code via SMS, which worked perfectly. We were able to verify our phone number that was on our DUNS report.

So now it is about 5-6 days later, and we were still awaiting in a PENDING Verification status for our certificate. We really was only waiting about 2-3 days, as part of this was over a weekend and a US holiday, and SSL.COM is in Texas and about 1-2 hrs behind us. But I did not want to wait around for them to get us approved, so I figured I would use their online Chat feature on the website to see what I should expect for a turn around time. The agent asked me to hold a minute while they reviewed my account, and after about 5 minutes sent me an email link to start the certificate download process! I have seen reviews of some of these companies where people say it could take a month to get your certificate. I really think it was that I did not want to sit around and went ahead and reached out to them that sped the process up. For all I know I probably could have had the certificate a couple days ago if I just contacted them sooner.

I have sent the certificate to our Developer so they can sign the Windows application and installer. My understanding is that it worked well for him, but I have yet to test on a few other non developer machines to be sure.

I will follow up when I have more details on how easy it was for the developer to sign the Windows version and see if I can get details on how he added to the CI process so the signatures will be automated when we have new builds.

Resources

Here is a list of articles and information I gathered while researching. This is in NO particular order.

Certificate Authorities

NOTE: pricing below is as of Feb 2020 and subject to change per vendor

• Mac Developer Program – $99/yr includes certificate
• https://www.sslshopper.com/certificate-authority-reviews.html
• https://www.comodoca.com/code-signing
  • $166/yr – standard
  • $299/yr – ev
• https://www.digicert.com/code-signing/ – aka, norton, symantec, verisign, thawte
  • $474/yr – standard
  • $664/yr – ev
• https://www.ssl.com/certificates/code-signing/
  • $129/yr – standard
  • $349/yr – ev
• https://www.globalsign.com/en/code-signing-certificate/java/
  • $289/yr – standard
  • $410/yr – ev
• godaddy – poor reviews
  • $199.99/yr – standard
• Letsencrypt – internet sites only (no code signing certs)
  • Free
• https://sectigo.com/signing-certificates/code-signing
  • $166/yr – standard
  • $299/yr – ev

Installer Notes

• https://centerkey.com/mac/java/ – using javapackager to create basic installer
• http://launch4j.sourceforge.net/ – what our developer was currently using
• https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html – about mac CodeSigning
  • need to find out, based on text form this site, we can use any certificate to sign, not just a apple developer id
• https://stackoverflow.com/a/16661319 – brief summary of ssl certs for cross platform code from user asking
• https://www.digicert.com/code-signing/java-code-signing-guide.htm – how to sign a jar file with jarsigner
• https://www.digicert.com/code-signing/signcode-signtool-command-line.htm – windows code signing
• https://www.oracle.com/technetwork/java/javase/documentation/digitalcerts-codesigning-4312830.html – very good info on certificates and background
• https://www.sslshopper.com/java-code-signing-certificates.html – java code signing certificates
• https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537361(v=vs.85)?redirectedfrom=MSDN
  • microsoft intro to code signing
• https://stackoverflow.com/questions/43855984/can-i-use-my-apple-developer-id-signing-certificate-on-a-windows-7-machine
  • not sure validity, but seems may be able to use apple devId cert to sign windows app
• https://stackoverflow.com/questions/12468783/code-sign-windows-programs-with-apple-certificate
  • says more along line that apple certificates are not recognized as a root in windows machines. apple uses a third party certificate to sign iTunes on Windows. (as of 2016 time frame at least )
• https://stackoverflow.com/questions/10592638/using-existing-ca-issued-cert-to-sign-os-x-application-and-keep-gatekeeper-happy
  • if we want to pass apple Gatekeeper, then need the devId cert. otherwise user still gets warning, but at least they can see our certificate we use from a third party
• https://stackoverflow.com/questions/11833481/non-apple-issued-code-signing-certificate-can-it-work-with-mac-os-10-8-gatekeep
  • after reading this. summary. buy a comodo cert for windows, and a devId for apple. you can try the comodo for apple and even though you can sign, the app will still not pass gatekeeper.
• https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFJw
  • sign jar in windows
• https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFK7
  • signing jar win/mac
• https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFJv
  • verify code sign cert installed on mac