Guide: Code signing
JWrapper can sign your application's JAR files as well as the native applications themselves, on both Windows and Linux. JWrapper's signing process is entirely cross platform, meaning you can sign Windows and OS X applications on different operating systems. This guide describes how to configure JWrapper to sign your applications.
Signing Windows Applications and Java Applets
You can sign your Windows application with any existing code signing certificate. JWrapper requires your certificate to be bundled along with your certificate authorities intermediate and root certificates in a Keystore. You can create a keystore, import certificates into a keystore and manage a keystore using the Java keytool utility.
Creating a KeyStore
Certificate authorities supply signing certificates in a variety of formats. Most issuing bodies also have specific instructions on how to construct a Keystore given their certificates. We suggest you consult your certificate authority for instructions on how to create a Keystore to use. Note, that you should include the code signing certificate, along with any intermediate and root certificates required to create a complete certificate chain.
Configuring JWrapper
Use the following XML to configure JWrapper to sign applets and Windows applications:
<SignForWindowsAndApplet>
<KeyStore>path to your created keystore</KeyStore>
<KeyStoreType>JKS or PKCS12</KeyStoreType>
<Alias>the alias the certificates were imported under</Alias>
<Password>the keystore password</Password>
<KeyPassword>the key password</KeyPassword>
<WinTimestampURL>your certificate authorities timestamp URL</WinTimestampURL>
<AppletTimestampURL>your certificate authorities timestamp URL</AppletTimestampURL>
<JarSignerPath>path to JDK jarsigner utility</JarSignerPath>
<JarSignerPath>path to alternate JDK jarsigner utility (e.g. for a different OS)</JarSignerPath>
...
</SignForWindowsAndApplet>
Note that the time stamp URLs are optional, but recommended. Applications signed without a timestamp URL will only be deemed secure while the certificate is still valid. Once the certificate expires, the operating system will no longer verify the application as securely signed.
JWrapper uses jarsigner to sign the jars prior to packing. You can supply one or more jarsigner paths and JWrapper will use the first path that exists on the build system. By specifying multiple jarsigner paths you can use a single build script to build on different system.
Verifying Signature
A signed executable can be verified on Windows using Windows Explorer:
Creating a KeyStore
Certificate authorities supply signing certificates in a variety of formats. Most issuing bodies also have specific instructions on how to construct a Keystore given their certificates. We suggest you consult your certificate authority for instructions on how to create a Keystore to use. Note, that you should include the code signing certificate, along with any intermediate and root certificates required to create a complete certificate chain.
Configuring JWrapper
Use the following XML to configure JWrapper to sign applets and Windows applications:
<SignForWindowsAndApplet>
<KeyStore>path to your created keystore</KeyStore>
<KeyStoreType>JKS or PKCS12</KeyStoreType>
<Alias>the alias the certificates were imported under</Alias>
<Password>the keystore password</Password>
<KeyPassword>the key password</KeyPassword>
<WinTimestampURL>your certificate authorities timestamp URL</WinTimestampURL>
<AppletTimestampURL>your certificate authorities timestamp URL</AppletTimestampURL>
<JarSignerPath>path to JDK jarsigner utility</JarSignerPath>
<JarSignerPath>path to alternate JDK jarsigner utility (e.g. for a different OS)</JarSignerPath>
...
</SignForWindowsAndApplet>
Note that the time stamp URLs are optional, but recommended. Applications signed without a timestamp URL will only be deemed secure while the certificate is still valid. Once the certificate expires, the operating system will no longer verify the application as securely signed.
JWrapper uses jarsigner to sign the jars prior to packing. You can supply one or more jarsigner paths and JWrapper will use the first path that exists on the build system. By specifying multiple jarsigner paths you can use a single build script to build on different system.
Verifying Signature
A signed executable can be verified on Windows using Windows Explorer:
- In Windows Explorer locate the file whose signature you wish to verify.
- Right click on the file and select Properties.
- If the file contains a digital signature the resulting dialog will contain a Digital Signatures tab. Click on the tab to get more information about the signature.
- In the signature list, select the signature entry and press the Details button.
- Ensure that the executable is signed and that the signing information is all correct.
Signing OS X Applications
OS X applications need to be signed using an Apple supplied developer certificate in order to run without warnings. JWrapper uses a separate configuration block for OS X signing since the certificates are separate to the Windows and Applet code signing process.
Apple Developer Certificates
You will need an Apple developer subscription in order to sign OS X applications. You can create and manage your account via the Member Center:
http://developer.apple.com
Once logged in, switch to the Certificates, Identifiers & Profiles section of your account to download your developer certificate. Save the certificate of type Developer ID Application to disk.
To complete the certificate chain you will also require the Apple Inc. Root and Developer ID Intermediate certificates from here:
http://www.apple.com/certificateauthority
The certificates you need will be listed in the form:
Apple Root CA
Developer ID Certification Authority
Developer ID Application: ...
Creating a P12 Store
JWrapper requires a P12 certificate store that contains the root, intermediate and developer certificates. The easiest way to create a P12 store is to use the Keychain Access app on OS X:
Configuring JWrapper
Use the following XML to configure JWrapper to sign OS X applications:
<SignForMac>
<AppleRootCertificate>path to Apple Inc Root Certficate(.cer)</AppleRootCertificate>
<DeveloperIdCertificate>path to Developer ID Intermediate Certificate (.cer)</DeveloperIdCertificate>
<DeveloperIdP12>path to your created P12 store (.p12)</DeveloperIdP12>
<DeveloperIdAlias>your developer ID (typically 'developers name dev key')</DeveloperIdAlias>
<DeveloperIdPassword>your P12 store password</DeveloperIdPassword>
</SignForMac>
Verifying Signature
You can verify a signed .app bundle using the OS X codesign utility:
codesign -vvvv YourApp.app
or the spctl utility:
spctl -a -vvvv YourApp.app
Apple Developer Certificates
You will need an Apple developer subscription in order to sign OS X applications. You can create and manage your account via the Member Center:
http://developer.apple.com
Once logged in, switch to the Certificates, Identifiers & Profiles section of your account to download your developer certificate. Save the certificate of type Developer ID Application to disk.
To complete the certificate chain you will also require the Apple Inc. Root and Developer ID Intermediate certificates from here:
http://www.apple.com/certificateauthority
The certificates you need will be listed in the form:
Apple Root CA
Developer ID Certification Authority
Developer ID Application: ...
Creating a P12 Store
JWrapper requires a P12 certificate store that contains the root, intermediate and developer certificates. The easiest way to create a P12 store is to use the Keychain Access app on OS X:
- Install each of the three downloaded certificates by double clicking on them.
- Open Keychain Access.app
- Select the certificates: Developer ID Application, Developer ID Certification Authority and Apple Root CA.
- Select File -> Export Items
- Save to file with format Personal Information Exchange (.p12)
Configuring JWrapper
Use the following XML to configure JWrapper to sign OS X applications:
<SignForMac>
<AppleRootCertificate>path to Apple Inc Root Certficate(.cer)</AppleRootCertificate>
<DeveloperIdCertificate>path to Developer ID Intermediate Certificate (.cer)</DeveloperIdCertificate>
<DeveloperIdP12>path to your created P12 store (.p12)</DeveloperIdP12>
<DeveloperIdAlias>your developer ID (typically 'developers name dev key')</DeveloperIdAlias>
<DeveloperIdPassword>your P12 store password</DeveloperIdPassword>
</SignForMac>
Verifying Signature
You can verify a signed .app bundle using the OS X codesign utility:
codesign -vvvv YourApp.app
or the spctl utility:
spctl -a -vvvv YourApp.app