Monday 27 January 2014

Saga to sign an eclipse plugin with a code cert

Signing an Eclipse Plugin with a code cert should be simple right?

Well this is probably one of those cases that maybe it is obvious for others with more knowledge on how java code signing works, but I've spend the good part of two days trying to sign an eclipse plugin, and finally I was able to get it to work.

I will start with the solution (as executed in OSX), and then talk about the problem:

1) MK (SI's tech guru), created the SecurityInnovationInc_.csr and SecurityInnovationInc_.key files using
openssl req -new -newkey rsa:2048 -nodes -out SecurityInnovationInc_.csr -keyout SecurityInnovationInc_.key -subj "/C=US/ST=Massachusetts/L=/O=Security Innovation Inc./CN=SecurityInnovationInc.”
2) MK then sent the  SecurityInnovationInc_.csr to Global Sign (as part of their Code-Signing cert service)

3) After a bit (I think about a day or so) MK received from Global Sign two files: intermediate.cer.txt and OS201311137236.cer.txt

4) MK then send me (via a protected channel) a zip with the following files

5) After:
             a) renaming the intermediate.cer.txt into intermediate.cer.txt  
             b) renaming OS201311137236.cer.txt into OS201311137236.cer and
             c) downloading the GlobalSign Root CA cert from here into GSRoot.cer, 

    I used the cat command to create the server-cert.txt file:
cat OS201311137236.cer intermediate1.cer GSRoot.cer > server-cert.txt 

6) With the server-cert.txt  I used openssl to create a PKCS12 keystore (server-cert.pkcs12) using:
openssl pkcs12 -export -inkey SecurityInnovationInc_.key -in server-cert.txt -out server-cert.pkcs12

7) At this stage I was able to verify the PKCS12 keystore (server-cert.pkcs12) using:
keytool -v -list -keystore server-cert.pkcs12  -storetype pkcs12

8) Next with the PKCS12 keystore (server-cert.pkcs12), I was able to create the Java keystore (server-cert.jks) , using:
keytool -importkeystore -srckeystore server-cert.pkcs12 -destkeystore server-cert.jks -srcstoretype pkcs12 -deststoretype JKS

 9) And finally sign the designer jars using:
jarsigner -keystore server-cert.jks artifacts.jar "1"

10) UPDATE: After I did this, the installation happened as expected on Kepler, but failed on Indigo, The reason is because Indigo doesn't support SHA256 which is what is used by default by Java 7 (v1.7.0_45-b18) version of JarSigner tool. The solution is to use use the -sigalg and -digestalg options to explicitly use SHA1 (the command bellow also uses the timestamp.dll  as TSA (Time Stamping Authority))
jarsigner -keystore server-cert.jks -tsa -digestalg SHA1 -sigalg SHA1withRSA content.jar "1" 

I hope this helps other who are faced with the same challenge.

So what was the problem?

First there is massive soup of keystores, Cert types and other Cert related 'things' in play here, with lots of names for the same thing (See the SSL Converter article for a nice list of 'possible conversions').

After much reading and mucking about, I think the root cause was the fact that MK didn't use the java's keytool to generate the Java keystore as described in Java CodeSigning JKS Method - Certificate Generation and Installation (he used OpenSSL).

This means that I when I tried to create the Java keystore as described in Java CodeSigning JKS Method - Certificate Generation and Installation , I didn't work because I wasn't able to import the private cert for SecurityInnovation_.crt.

Another problem was that I didn't have the GlobalSign root CA, which is needed to so that the verification chain works ok.

The solution (as described above) was to:
  • create a flat file with the 3 certs (OS201311137236.cer , intermediate1.cer and GSRoot.cer
  • use the flat file to create a PKCS12 keystore (server-cert.pkcs12)  
  • use the PKCS12 keystore  to create a Java keystore (server-cert.jks
  • use the Java keystore to sign the Eclipse plugin Jars 
Simple once we know how to :)

I went through a ton of different errors, and for reference here are the tabs I had opened when I finally was able to figure out the solution: