ADT error with comodo code signing certificate

Similar Messages

• Signing a package with .pfx code signing certificate

  Hi,
  I've got a code signing certificate (.pfx) from GlobalSign and tried to sign my extension package.
  I used the ZXPSignCmd tool and got the following response:
  Unable to build a valid certificate chain. Please make sure that all certificates are included in the certificate file.
  The necessary certificate chain is installed on my system (Windows 7):
  My code signing certificate,
  the certificate from GlobalSign the signed my certificate
  and the GlobalSign root certificate that signed it.
  The OpenSSL info output for the certificate looks fine too:
  MAC Iteration 2000
  MAC verified OK
  PKCS7 Data
  Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
  PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2000
  Certificate bag
  Certificate bag
  Certificate bag
  On the other hand signing other files with the Windows SDK Signtool works and results in a correct certificate chain (visible in the file's details).
  Any idea what I might be doing wrong?
  Regards
  Philipp

  Hi Philipp,
  No, it doesn't matter - using Certificate Manager should also have worked.
  I don't think the issue is that the wrong root certificate has been chosen, otherwise we'd be seeing a different error. In the PEM file you exported, I would expect to see several certificate sections, each starting with BEGIN CERTIFICATE and ending with END CERTIFICATE. Just above each certificate's "BEGIN CERTIFICATE" line should be "subject" and "issuer" - the last certificate (at the bottom of the PEM file), should have your personal certificate name as the subject. Then, working upwards, each certificate should have an "issuer" which matches the "subject" of the certificate above it.
  The first certificate in the PEM file should have the same value for "subject" and "issuer" - identifying the certificate authority's root certificate.
  Also in the PEM file I'd expect to see a section "BEGIN RSA PRIVATE KEY"...."END RSA PRIVATE KEY".
  Does this all match what you're seeing?
  Assuming your PEM file looks OK, you could try using OpenSSL to convert it to PKCS12 format, using the command:
  openssl pkcs12 –export –in my_pem_file.pem –out my_pkcs12_file.p12
  Also, please ensure that you're using only ASCII characters in your P12 password, just in case that's causing problems.
  Best regards,
  Fraser

• What code signing certificate has to be added for Adobe Air Native Installer?

  Hi,
  I'm developing Adobe Air application. I need to digitally verify the application to add the publisher's name with the product. I did a little research and came to know that Symantec, Thawte, Comodo, Comodo-Tucows, Digicert, Godaddy and couple of others are doing this.
  Yes. I'm talking about the Code Signing Certificate. My question is, What code signing certificate has to be added for Adobe Air Native Installer? The reason is, The native installer will have an extension .exe ( Windows ) and .dmg ( MAC OS X ).
  These guys are providing certificate for Adobe Air. For instance, If the application is exported using Native Installer in Windows, The application will have an .exe extension. For this, Can I use the same Adobe Air code signing certificate or Should I go for Microsoft Autheticode ( for .exe ) certificate?
  Thanks in advance.

  I think comodo code signing certificate is one of the nice option to be added for Adobe Air, as i have seen comodo code signing certificate in other adobe programs. Recently i bought comodo code signing from https://cheapsslsecurity.com/comodo/codesigningcertificate.html, to sign one of my adobe application and it works fine, you can use microsoft authenticode technology with comodo code signing.

• Using a Code Signing Certificate for download on Azure

  Currently, I have a hosted web application and Web API on a VM that I use to allow users to download an executable file that is signed with a Code Signing certificate. My question is how would I do the same thing with a Web Role or Cloud Service?  The
  goal is to move to PAAS in Azure with our web application.
  Thanks for any help in advance.

  I appreciate the link to the article, but I don't need an SSL certificate, I need a code signing certificate.  I'm afraid this post does not help me at all.  What I need is a certificate to sign my downloadable applications with.  I have
  an .exe file that users can download, and I need those people to know my code can be trusted, which is why I need the code signing certificate.  My problem is how do I utilize this with a Web Role or Cloud Service?

• Java security error after 8u31 (Timestamped Jarsigned Applet within valid period of Code Signing certificate)

  Hello,
    I have an applet running in embeddad systems. This program runs without any problem since 8u31 update! After this update it starts to give java security warning and stops running.
  Here is the warning message:
    "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"
  What it says is true; my Code Signing Certificate (CSC) is valid between 24 Jan 2014 and 25 Jan 2015. And it expired! However, while i was signing my applet with this certificate i used "timestamp". The authority i choosed was DigiCert. My signing date was 26 Jan 2014 (when my CSC was valid).
  When i started to have this Java Security Error, first i thought i mis-timestamped my code, and check by using the jarsigner -verify command. Here is a partial result:
  s      19607 Mon Jan 27 13:17:34 EET 2014 META-INF/MANIFEST.MF
        [entry was signed on 27.01.2014 13:19]
        X.509, CN=TELESIS TELECOMMUNICATION SYSTEMS, OU=ARGE, O=TELESIS TELECOMMUNICATION SYSTEMS, STREET=TURGUT OZAL BLV.NO:68, L=ANKARA, ST=ANKARA, OID.2.5.4.17=06060, C=TR
        [certificate is valid from 24.01.2014 02:00 to 25.01.2015 01:59]
        X.509, CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
        [certificate is valid from 24.08.2011 03:00 to 30.05.2020 13:48]
        X.509, CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
        [certificate is valid from 07.06.2005 11:09 to 30.05.2020 13:48]
        X.509, CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
        [certificate is valid from 30.05.2000 13:48 to 30.05.2020 13:48]
  sm       495 Thu Jan 23 14:55:22 EET 2014 telesis/WebPhone$1.class
  As you may see the timestamp was correctly done. And it is in the valid period of CSC.
  Than i started to check how Java confirms the Certificate, and found some flowcharts.
  Here is an example from DigiCert:
  Code Signature Verification Process
  After the Web browser downloads the Applet or Web Start application, it checks for a timestamp, authenticates the publisher and Certificate Authority (CA), and checks to see if the code has been altered/corrupted.
  The timestamp is used to identify the validation period for the code signature. If a timestamp is discovered, then the code signature is valid until the end of time, as long as the code remains unchanged. If a timestamp is not discovered, then the code signature is valid as long as the code remains unchanged but only until the Code Signing Certificate expires. The signature is used to authenticate the publisher and the CA, and as long as the publisher (author or developer) has not been blacklisted, the code signature is valid. Finally, the code is checked to make sure that it has not been changed or corrupted.
  If the timestamp (or Code Signature Certificate expiration date) is verified, the signature is validated, and the code is unchanged, then the Web browser admits the Applet or Web Start application. If any of these items do not check out, then the Web browser acts accordingly, with actions dependent on its level of security.
  So according to this scheme, my applet had to work properly, and without security warning.
  However i also found that from Oracle, which also includes the timestamping authorities Certification validity period??? :
  The optional timestamping provides a notary-like capability of identifying
  when the signature was applied.
      If a certificate passes its natural expiration date without revocation,
  trust is extended for the length of the timestamp.
      Timestamps are not considered for certificates that have been revoked,
  as the actual date of compromise could have been before the timestamp
  occurred.
  source:  https://blogs.oracle.com/java-platform-group/entry/signing_code_for_the_long
  So, could anyone please explain why Java gives security error when someone tries to reach that applet?
  Here is a link of applet: http://85.105.68.11/home.asp?dd_056
  I know the situation seems a bit complicated, but i tried to explain as simple as i can.
  waiting for your help,
  regards,
  Anıl

  Hello,
    I have an applet running in embeddad systems. This program runs without any problem since 8u31 update! After this update it starts to give java security warning and stops running.
  Here is the warning message:
    "Your security settings have blocked an application signed with an expired or not-yet-valid certificate from running"
  What it says is true; my Code Signing Certificate (CSC) is valid between 24 Jan 2014 and 25 Jan 2015. And it expired! However, while i was signing my applet with this certificate i used "timestamp". The authority i choosed was DigiCert. My signing date was 26 Jan 2014 (when my CSC was valid).
  When i started to have this Java Security Error, first i thought i mis-timestamped my code, and check by using the jarsigner -verify command. Here is a partial result:
  s      19607 Mon Jan 27 13:17:34 EET 2014 META-INF/MANIFEST.MF
        [entry was signed on 27.01.2014 13:19]
        X.509, CN=TELESIS TELECOMMUNICATION SYSTEMS, OU=ARGE, O=TELESIS TELECOMMUNICATION SYSTEMS, STREET=TURGUT OZAL BLV.NO:68, L=ANKARA, ST=ANKARA, OID.2.5.4.17=06060, C=TR
        [certificate is valid from 24.01.2014 02:00 to 25.01.2015 01:59]
        X.509, CN=COMODO Code Signing CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB
        [certificate is valid from 24.08.2011 03:00 to 30.05.2020 13:48]
        X.509, CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
        [certificate is valid from 07.06.2005 11:09 to 30.05.2020 13:48]
        X.509, CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
        [certificate is valid from 30.05.2000 13:48 to 30.05.2020 13:48]
  sm       495 Thu Jan 23 14:55:22 EET 2014 telesis/WebPhone$1.class
  As you may see the timestamp was correctly done. And it is in the valid period of CSC.
  Than i started to check how Java confirms the Certificate, and found some flowcharts.
  Here is an example from DigiCert:
  Code Signature Verification Process
  After the Web browser downloads the Applet or Web Start application, it checks for a timestamp, authenticates the publisher and Certificate Authority (CA), and checks to see if the code has been altered/corrupted.
  The timestamp is used to identify the validation period for the code signature. If a timestamp is discovered, then the code signature is valid until the end of time, as long as the code remains unchanged. If a timestamp is not discovered, then the code signature is valid as long as the code remains unchanged but only until the Code Signing Certificate expires. The signature is used to authenticate the publisher and the CA, and as long as the publisher (author or developer) has not been blacklisted, the code signature is valid. Finally, the code is checked to make sure that it has not been changed or corrupted.
  If the timestamp (or Code Signature Certificate expiration date) is verified, the signature is validated, and the code is unchanged, then the Web browser admits the Applet or Web Start application. If any of these items do not check out, then the Web browser acts accordingly, with actions dependent on its level of security.
  So according to this scheme, my applet had to work properly, and without security warning.
  However i also found that from Oracle, which also includes the timestamping authorities Certification validity period??? :
  The optional timestamping provides a notary-like capability of identifying
  when the signature was applied.
      If a certificate passes its natural expiration date without revocation,
  trust is extended for the length of the timestamp.
      Timestamps are not considered for certificates that have been revoked,
  as the actual date of compromise could have been before the timestamp
  occurred.
  source:  https://blogs.oracle.com/java-platform-group/entry/signing_code_for_the_long
  So, could anyone please explain why Java gives security error when someone tries to reach that applet?
  Here is a link of applet: http://85.105.68.11/home.asp?dd_056
  I know the situation seems a bit complicated, but i tried to explain as simple as i can.
  waiting for your help,
  regards,
  Anıl

• Error with Java WebStart Signed Jars on 1.6.0_19's new Mixed  Code

  All,
  First, we have a valid code signing certificate/keystore from Thawte that works for signing webstart jars as of update 18. For some reason, if you run our webstart application on update 19 JRE, the runtime believes that some of the jars are not signed and some are. Even though we create and sign the jars in the exact same way and after inspecting the jar the JRE believes are not signed they have the necessary signing entries/files in the manifest folder. Not sure why the signing process would work for some of our jars and not for others. There is nothing really all that different.
  So, because the JRE believes some of the jars are not signed the new security warning "...contains both signed and unsigned code." pops up ( [Error Description|http://java.com/en/download/help/error_mixedcode.xml] ). If I press yes, then I get the following exception.
  java.lang.SecurityException: trusted loader attempted to load sandboxed resource from https://path-to-our.jar
       at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
       at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1400(Unknown Source)
       at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at main.JwsMain.main(JwsMain.java:32)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at com.sun.javaws.Launcher.executeApplication(Unknown Source)
       at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
       at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
       at com.sun.javaws.Launcher.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)If I press "no" I get the following exception (I get this exception if I try to run our WebStart application with no signed jars as well, no warnings about missing certs, just straight to error)
  java.lang.NullPointerException
       at com.sun.deploy.cache.CachedJarFile.findMatchingSignerIndices(Unknown Source)
       at com.sun.deploy.cache.CachedJarFile.entryNames(Unknown Source)
       at com.sun.deploy.cache.DeployCacheJarAccessImpl.entryNames(Unknown Source)
       at com.sun.deploy.security.CPCallbackHandler.assertTrust(Unknown Source)
       at com.sun.deploy.security.CPCallbackHandler.access$700(Unknown Source)
       at com.sun.deploy.security.CPCallbackHandler$ParentCallback.check(Unknown Source)
       at com.sun.deploy.security.CPCallbackHandler$ParentCallback.access$1400(Unknown Source)
       at com.sun.deploy.security.CPCallbackHandler$ChildElement.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.checkResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath$JarLoader.getResource(Unknown Source)
       at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source)
       at java.net.URLClassLoader$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(Unknown Source)
       at com.sun.jnlp.JNLPClassLoader.findClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at java.lang.ClassLoader.loadClass(Unknown Source)
       at main.JwsMain.main(JwsMain.java:32)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at com.sun.javaws.Launcher.executeApplication(Unknown Source)
       at com.sun.javaws.Launcher.executeMainClass(Unknown Source)
       at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
       at com.sun.javaws.Launcher.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)Does anyone know why this would be happening? It only occurs with the new update. We use the same keystore and process for signing all of our jars so it really doesn't make since why some of them work and some of them don't. Also, our JNLP is correct or it wouldn't work in update 18.
  Edit: We've tried it on Windows XP SP3 and compiled the code using update 18 and used jarsigner both from 18 and 19 with same results.
  Edited by: chenthor on Apr 1, 2010 8:44 AM
  Edited by: chenthor on Apr 1, 2010 8:51 AM

  Hi All,
  So we've been battling this bug for a year or so now, and I've come up with a solution to the webstart bugs
  http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6967414
  http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6805618
  (see the bugs for more details)
  From what we can tell the bug stems from the way that the jar signers information is "cached" by webstart.
  When a jar is loaded by webstart, it is represented by a CachedJarFile instance. When loading and using classes the signature for the jar is verified. The signers used is the one that is stored in the CachedJarFile instances. These "signers" are stored as SoftReferences. SoftReferences are like WeakReferences, except that they only become eligible for garbage collection when there is a small amount of available heaps space remaining and that the object is only softly reachable. (That's a pretty crude description, but it will do for now)
  So what we found was happening is that when the JVM reached a certain heap size threshold and needed to allocate more heap, that these soft references (and hence the signers information) werebeing garbage collected. if you attempt to load a class after this you get the security error.
  So I came up with a hack to work around this. At application startup, iterate through all of the CachedJarFile objects on the classpath and create a hard reference to each of the signers info by putting them in a static list somewhere. From our tests this seems to work. (though with the intermittent nature of the problem, it has been hard to prove conclusively, though we've had some success repro-ing the issue, by reducing the intial heap size and using VisualVM to watch for heap expansions and forcing gc's)
  Below is the code for the hack, to run it just call JarSignersHardLinker.go() and it will do some sanity checks (running on webstart on java 1.6 update 19 or higher) before spawning a new thread to create hard refs for all signers info for all jars on the classpath.
  import java.io.IOException;
  import java.lang.ref.SoftReference;
  import java.lang.reflect.Field;
  import java.lang.reflect.InvocationTargetException;
  import java.lang.reflect.Method;
  import java.net.JarURLConnection;
  import java.net.URL;
  import java.net.URLConnection;
  import java.util.ArrayList;
  import java.util.Enumeration;
  import java.util.LinkedHashSet;
  import java.util.List;
  import java.util.Set;
  import java.util.jar.JarFile;
  * A utility class for working around the java webstart jar signing/security bug
  * see http://bugs.sun.com/view_bug.do?bug_id=6967414 and http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6805618
  * @author Scott Chan
  public class JarSignersHardLinker {
      private static final String JRE_1_6_0 = "1.6.0_";
       * the 1.6.0 update where this problem first occurred
      private static final int PROBLEM_JRE_UPDATE = 19;
      public static final List sm_hardRefs = new ArrayList();
      protected static void makeHardSignersRef(JarFile jar) throws java.io.IOException {
          System.out.println("Making hard refs for: " + jar );
          if(jar != null && jar.getClass().getName().equals("com.sun.deploy.cache.CachedJarFile")) {
               //lets attempt to get at the each of the soft links.
               //first neet to call the relevant no-arg method to ensure that the soft ref is populated
               //then we access the private member, resolve the softlink and throw it in a static list.
              callNoArgMethod("getSigners", jar);
              makeHardLink("signersRef", jar);
              callNoArgMethod("getSignerMap", jar);
              makeHardLink("signerMapRef", jar);
  //            callNoArgMethod("getCodeSources", jar);
  //            makeHardLink("codeSourcesRef", jar);
              callNoArgMethod("getCodeSourceCache", jar);
              makeHardLink("codeSourceCacheRef", jar);
       * if the specified field for the given instance is a Softreference
       * That soft reference is resolved and the returned ref is stored in a static list,
       * making it a hard link that should never be garbage collected
       * @param fieldName
       * @param instance
      private static void makeHardLink(String fieldName, Object instance) {
          System.out.println("attempting hard ref to " + instance.getClass().getName() + "." + fieldName);
          try {
              Field signersRef = instance.getClass().getDeclaredField(fieldName);
              signersRef.setAccessible(true);
              Object o = signersRef.get(instance);
              if(o instanceof SoftReference) {
                  SoftReference r = (SoftReference) o;
                  Object o2 = r.get();
                  sm_hardRefs.add(o2);
              } else {
                  System.out.println("noooo!");
          } catch (NoSuchFieldException e) {
              e.printStackTrace();
              return;
          } catch (IllegalAccessException e) {
              e.printStackTrace();
       * Call the given no-arg method on the given instance
       * @param methodName
       * @param instance
      private static void callNoArgMethod(String methodName, Object instance) {
          System.out.println("calling noarg method hard ref to " + instance.getClass().getName() + "." + methodName + "()");
          try {
              Method m = instance.getClass().getDeclaredMethod(methodName);
              m.setAccessible(true);
              m.invoke(instance);
          } catch (SecurityException e1) {
              e1.printStackTrace();
          } catch (NoSuchMethodException e1) {
              e1.printStackTrace();
          } catch (IllegalArgumentException e) {
              e.printStackTrace();
          } catch (IllegalAccessException e) {
              e.printStackTrace();
          } catch (InvocationTargetException e) {
              e.printStackTrace();
       * is the preloader enabled. ie: will the preloader run in the current environment
       * @return
      public static boolean isHardLinkerEnabled() {
           boolean isHardLinkerDisabled = false;  //change this to use whatever mechanism you use to enable or disable the preloader
          return !isHardLinkerDisabled && isRunningOnJre1_6_0_19OrHigher() && isRunningOnWebstart();
       * is the application currently running on webstart
       * detect the presence of a JNLPclassloader
       * @return
      public static boolean isRunningOnWebstart() {
          ClassLoader cl = Thread.currentThread().getContextClassLoader();
          while(cl != null) {
              if(cl.getClass().getName().equals("com.sun.jnlp.JNLPClassLoader")) {
                  return true;
              cl = cl.getParent();
          return false;
       * Is the JRE 1.6.0_19 or higher?
       * @return
      public static boolean isRunningOnJre1_6_0_19OrHigher() {
          String javaVersion = System.getProperty("java.version");
          if(javaVersion.startsWith(JRE_1_6_0)) {
              //then lets figure out what update we are on
              String updateStr = javaVersion.substring(JRE_1_6_0.length());
              try {
                  return Integer.parseInt(updateStr) >= PROBLEM_JRE_UPDATE;
              } catch (NumberFormatException e) {
                  //then unable to determine updatedate level
                  return false;
          //all other cases
          return false;
        * get all the JarFile objects for all of the jars in the classpath
        * @return
       public static Set<JarFile> getAllJarsFilesInClassPath() {
            Set<JarFile> jars = new LinkedHashSet<JarFile> ();
           for (URL url : getAllJarUrls()) {
               try {
                   jars.add(getJarFile(url));
               } catch(IOException e) {
                    System.out.println("unable to retrieve jar at URL: " + url);
           return jars;
       * Returns set of URLS for the jars in the classpath.
       * URLS will have the protocol of jar eg: jar:http://HOST/PATH/JARNAME.jar!/META-INF/MANIFEST.MF
      static Set<URL> getAllJarUrls() {
          try {
              Set<URL> urls = new LinkedHashSet<URL>();
              Enumeration<URL> mfUrls = Thread.currentThread().getContextClassLoader().getResources("META-INF/MANIFEST.MF");
              while(mfUrls.hasMoreElements()) {
                  URL jarUrl = mfUrls.nextElement();
  //                System.out.println(jarUrl);
                  if(!jarUrl.getProtocol().equals("jar")) continue;
                  urls.add(jarUrl);
              return urls;
          } catch(IOException e) {
              throw new RuntimeException(e);
       * get the jarFile object for the given url
       * @param jarUrl
       * @return
       * @throws IOException
      public static JarFile getJarFile(URL jarUrl) throws IOException {
          URLConnection urlConnnection = jarUrl.openConnection();
          if(urlConnnection instanceof JarURLConnection) {
              // Using a JarURLConnection will load the JAR from the cache when using Webstart 1.6
              // In Webstart 1.5, the URL will point to the cached JAR on the local filesystem
              JarURLConnection jcon = (JarURLConnection) urlConnnection;
              return jcon.getJarFile();
          } else {
              throw new AssertionError("Expected JarURLConnection");
       * Spawn a new thread to run through each jar in the classpath and create a hardlink
       * to the jars softly referenced signers infomation.
      public static void go() {
          if(!isHardLinkerEnabled()) {
              return;
          System.out.println("Starting Resource Preloader Hardlinker");
          Thread t = new Thread(new Runnable() {
              public void run() {
                  try {
                      Set<JarFile> jars = getAllJarsFilesInClassPath();
                      for (JarFile jar : jars) {
                          makeHardSignersRef(jar);
                  } catch (Exception e) {
                      System.out.println("Problem preloading resources");
                      e.printStackTrace();
                  } catch (Error e) {
                       System.out.println("Error preloading resources");
                       e.printStackTrace();
          t.start();
  }

• JWS gives 'failed to parse certificate' error for VALID code sign cert

  Hi,
  For my application, After downloading jar files from web server, JWS (1.2.0_02) gives a Security Warning asking user to trust the Signer.
  However, after clicking Start, it gives another Security Warning which says this:
  Warning: Failed to verify authenticity of this certificate because there was an error parsing the certificate. No assertions can be made of the origin or validity of the code. It is highly recommended not to install and run this code.
  STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
  Sign App jar files with a VALID code signing certificate from Thawte or Verisign (don't use DST or RSA or any other CA as JWS supports only Versign/Thawte root CA entries by default).
  Download the app using JNLP, and you will see this warning.
  EXPECTED -
  It should not give the second security warning. First one is fine as user has to trust the signer.
  There are no logs anywhere to find out what error it encountered parsing the certificate.
  The certificate as such is valid, it was verified with keytool, openSSL and various other tools.
  ACTUAL -
  After downloading an application from web server, JWS gives a Security Warning asking user to trust the Signer.
  However, after clicking Start, it gives another Security Warning which says this:
  Warning: Failed to verify authenticity of this certificate because there was an error parsing the certificate. No assertions can be made of the origin or validity of the code. It is highly recommended not to install and run this code.
  ERROR MESSAGES/STACK TRACES THAT OCCUR :
  Warning: Failed to verify authenticity of this certificate because there was an error parsing the certificate. No assertions can be made of the origin or validity of the code. It is highly recommended not to install and run this code.

  Hello,
  I had the same problem. Here are some additional things to check:
  - every jar in your app MUST be signed by ONE and ONLY ONE certificate.
  - every jar which is presigned should be checked on its own. I had a bad bcprov.jar which nearly drove me nuts. Maybe there are more such 'presigned' jars around.
  One recipe aside:
  Try halfing down the jars in your jnlp file further and further, until it runs again, then you'll probably find the jar which causes this. I would bet a specific jar.
  There's another Bug already known which makes JWS fail on checking the certs on jars with classes which have national characters (even Inner ones!). So you might be checking that, too.
  Hope that helps...
  Patric

• Cannot renew code signing certificate - maybe bug with german Umlaut?

  Hello!
  Since one month I expierence a message that I should renew my code signing certificate and today I thought it is time to stop this message.
  Because I could not find anything about renewing the certificate in Mountain Lion I used the KB-article that discribes the process for Lion.
  http://support.apple.com/kb/HT5358
  after that I get this in at my terminal:
  sudo /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin --recreate-CA-signed-certificate 'myserver.domain.de Signierungszertifikate für Code' 'IntermediateCA_MYSERVER.DOMAIN.DE_1' 7D3E2458
  when I press return I get this:
  /Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin Cannot find the certificate: myserver.domain.de Signierungszertifikate für Code
  I checked it again and again - I cannot find any typo or something like that - so maybe Mountain Lion wants to renew the certificate in a different way or certadmin cannot cope with german "Umlaute" - "für" - in english for - but I did not gave this name it was given by the system when I setup the server one year ago.
  Every hint is welcome, bye
  Christoph

  I am stupid - I read the KB article again and there it says
  "When entering the hexadecimal serial number, ensure that all letters are entered in lower case."
  I retyped the command with lower case hex numbers and everything was fine
  Bye,
  Christoph

• The name ("common name") of a valid code-signing certificate in a keychain within your keychain path.   A missing or invalid certificate will cause a build error.  [CODE_SIGN_IDENTITY]

  The name ("common name") of a valid code-signing certificate in a keychain within your keychain path.   A missing or invalid certificate will cause a build error.  [CODE_SIGN_IDENTITY]

  If you could ask a coherent question, maybe...
  Perhaps you should be posting in the developers forums...

• Adobe AIR 3 Performance Issues and Code Signing Certificate Problem

  I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
  The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
  1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
  2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
  About the Code Signing Certificate problem:
  When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
  I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
  The Google Groups Adobe AIR page is here:
  http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
  Any ideas about these issues?
  Thanks!
  Oscar

  I recently updated to Adobe AIR 3.0 SDK (and runtime) doing HTML/Javascript development using Dreamweaver CS5.5 in a Windows 7 Home Premium (64 bit).
  The AIR app I'm developing runs well from within Dreamweaver. But when I create/package the AIR app and install it on my machine:
  1. The app literally CRAWLS running it in my Windows 7 12G RAM machine (especially when I use the mouse to mouse over a 19-by-21 set of hyperlinks on a grid) --- IT IS THAT SLOOOOWWWW...
  2. The app runs fine in my Mac OS X 10.6.8 with 4G RAM, also using the Adobe AIR 3 runtime.
  About the Code Signing Certificate problem:
  When I try to package the AIR app with ADT using AIR's temporary certificate feature, I get the error message "Could not generate timestamp: handshake alert: unrecognized_name".
  I found some discussions on this problem in an Adobe AIR Google Groups forum, but no one has yet offered any resolution to the issue. Someone said Adobe is using the Geotrust timestamping service --- located at https://timestamp.geotrust.com/tsa --- but going to this page produces a "404 --- Page not found" error.
  The Google Groups Adobe AIR page is here:
  http://groups.google.com/group/air-tight/browse_thread/thread/17cd38d71a385587
  Any ideas about these issues?
  Thanks!
  Oscar

• Code Signing certificate expired

  Hello,
  I please need an information about SGDEE 4.1 login applet: it seems
  applet code signing certificate was expired on September 2, 2005.
  I have no problem (after I deleted all expired root certificates from
  local client repository) with Internet Explorer 6SP1, but Mozilla Firefox
  always prompt me a warning with this contents:
  Serial:     
  [62374265099632433790334794162326322759]
  Issuer:
  N=VeriSign Class 3 Code Signing 2001 CA,
  OU=Terms of use at https://www.verisign.com/rpa (c)01,
  OU=VeriSign Trust Network,
  O="VeriSign, Inc."
  Valid From: Wed Sep 01 02:00:00 CEST 2004,
  To: Fri Sep 02 01:59:59 CEST 2005
  Subject:
  CN="Tarantella, Inc.",
  OU=Digital ID Class 3 - Netscape Object Signing,
  O="Tarantella, Inc.",
  L=Santa Cruz,
  ST=California,
  C=US
  Thank you very much in advance,
  Best Regards,
  Valerio Morozzo

  I know this is an older post, but it helped me find out how to make the migration procedure for native installer. I tried it with self signed certificate created by ADT tool and everything went fine.
  But now, we obtained a commercial AIR signing certificate from Thawte and the process failes in step 3) ADT saying
  'Certificate in PATH_TO_P12 could not be used to sign setup.msi' on Windows.
  On mac, it says that signing native installer on OSX is not supported, so I skipped the signing option in step 3) and it worked fine.
  I can skip the signing option on Windows as well and the process succeeds, but running the installer on machines with previous versions of application results in "Installer mis-configured' error message - the same error as if the migration process was not applied.
  I already contacted Thawte if it is a certificate issue, reply from them was 'AIR certificate can only sign .air applications'. But when I build a native application directly from FlashBuilder and sign it with the Thawte certificate the whole process seem to succeed. The application can be installed on machines without previous version of the application. Those who already have the older version get the 'Installer mis-configured' error message.
  I want to mark out again, that the same process but with a self signed certificate created with ADT, is successfull and the application can be installer as an update on machines with older version of the app. So I assume the workflow is correct.
  Any ideas? Or somebody having the same issue?
  Thanks

• Code-signing Certificate Renew issue

  We recently renewed our Verisign code-signing certificate, only to discover that it breaks the auto-update process with the notorious error "This application cannot be installed because this installer has been mis-configured." We were able to make it work by using the ADT -migrate command. That is all well and wonderful. But there are two issues I see. First, there is a 180 day cut-off, beyond which users can no longer be updated. Then, when our certificate gets renewed again next year we might be stuck in a situation where we have to choose which users get to be updated and which are orphaned and are forced to uninstall/re-install.
  Furthermore, how much of this pain we have to live with becomes a function of how long a certificate we are willing to pay for. If we're a small company forking out the money for a 3 year certificate might be kind of painful. Why should this be a factor? Why is it not straight-forward to renew the same certificate and have installations back to the beginning of time be alright with it?
  It could be there is something about the renewal process that is not right. However, when I renewed my Verisign cert their process pretty much forced me to keep everything about the renewed cert the same as the original, otherwise it would not be a 'renewal'.
  If there is an arcane trick we are missing I would be most appreciate to know what it is. This should not be this difficult.
  Thanks
  Kevin

  Hi Kevin,
  I've asked around and learned that the process as you describe is "as designed".  However, there are stratigies for minimizing the downsides.
  For more information, please see the following documents:
  AIR 2.6 Extended Migration Signature Grace Periods
  Update Strategies for Changing Certificates
  Update Your Applications Regularly
  Code Singing in Adobe AIR
  Hope this helps,
  Chris

• How to use Java code signing certificate in oracle 11i

  Hello,
  I am try to configure java code signing certificate in 11.5.10.2 application. we got java sign certificate from verisgin. SA's imported the certificate and created alias XXX_XXX with password and passphrase.
  I am able to see the my certificate. keytool -list -v -keystore xxx_xxxx.jks -storepass Password.
  how do I use it. I am using Enhance Jar Signing for EBS DOC ID 1591073.1.
  could you please give me some advice on it?
  Thanks
  Prince

  Hussien,
  I find out apps keystore keypassword and storepassword, I imported the java code sign certificate. I generated Jar files through adadmin, but I am getting  warning error
  adogif() unable to generate Jar Filers under JAVA_TOP.
  executing /usr/jdk/jdk1.6.0_45/bin/java sun.security.tools.JarSigner keysotre **** -sigfile CUST Signer /apps/......
  Error JarSigner subcommand Exited With status 1.
  No standard output from jarsigner JarSigner error output: Exception in thread "main" java.lang.NoClassDefFoundError: sun/security/tools/JarSigner Caused by: java.lang.ClassNotFoundException: sun.security.tools.JarSigner         at java.net.URLClassLoader$1.run(URLClassLoader.java:202)         at java.security.AccessController.doPrivileged(Native Method)         at java.net.URLClassLoader.findClass(URLClassLoader.java:190)         at java.lang.ClassLoader.loadClass(ClassLoader.java:306)         at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)         at java.lang.ClassLoader.loadClass(ClassLoader.java:247) Could not find the main class: sun.security.tools.JarSigner.  Program will exit. WARNING: The following path(s), defined in /apps2/property/product/tst/appl/cz/11.5.0/java/make/czjar.dep as elements of the output:   oracle/apps/cz/runtime/tag WARNING: Copying cztag.lst from the old fndlist.jar ...   About to Analyze flmkbn.jar : Fri Nov 22 2013 10:45:51
  Please let me know if you have any idea. Thanks Prince

• Thawte code signing certificate problem

  Hi everyone!
  I wonder if someone here could help me out a little bit?
  I just received a code signing certificate from Thawte, but nobody mentioned that I should have enrolled it with Firefox (I have mac). So I used my default browser Safari. And now I can´t find any instructions how to change that certificate to a file that I can use in my Flex 3 when I export an AIR installer. All the instructions tell me to use Firefox, but it´s too late. I have to use same browser I have used earlier.
  I send this answer to Thawte too, but I´m not sure when they answer...

  Well, yes, apparently Keychain Access doesn't let you export the entire certificate chain.
  See http://forums.adobe.com/thread/234000 for a post on essentially the same issue.
  I haven't tried it, but maybe you can import the certificate into Firefox and then re-exported it with the entire certificate chain. Or do the same with the Java keytool utility. You could also set the ADT command line parameters to access the Mac Keychain directly, but then you couldn't use the built-in Flash/Flex Builder export. Those are the only options I can think of if you can't get help from Thawte.

• "Invalid Provisioning Profile. The provisioning profile included in the bundle {BUNDLENAME} [{BUNDLENAME}.app] is invalid. [Missing code-signing certificate.]" for brand new, vanilla Mac App

  In OS X Maverick's XCode, I created a brand new Mac > "Cocoa Application", with Core Data and Spotlight Importerl; about as vanilla a Cocoa application I could muster. 
  Under Preferences > Accounts, I signed in to my Mac Developer Account.
  In Targets > Identity, I set Signing to "Mac App Store", and was able to select my Mac Developer Account for "Team".
  I then went to Product > Clean, and then Product > Build for... > Running, and then Produt > Archive.
  In the Organizer, I select the resulting .app and click "Validate", and hit the Mac App Store radio, and hit "Next", and it's able to log into my Mac Developer Account.
  I select my Provisioning Profile in the dropdown, and click "Validate".
  It comes back with several errors:
  1 - "Invalid Provisioning Profile. The provisioning profile included in the bundle {BUNDLENAME} [{BUNDLENAME}.app] is invalid. [Missing code-signing certificate.] For more information, visit the Mac OS Developer Portal."
  2 - "The bundle identifier cannot be changed from the current value, '{DIFFERENT-BUNDLE-FROM-OTHER-PROJECT}'.  If you want to change your bundle identifier, you will need to create a new application in iTunes Connect.
  3 - Invalid Code Signing Entitlements.  The entitlements in your app bundle signature do not match the ones that are contained in the provision profile.  The bundle contains a key that is not included in the provisioning profile: 'com.apple.applications-identifier' in '{BUNDLENAME}.app/Contents/MacOS/{BUNDLENAME}'
  I was able to do the same process before, for a vanilla app, before Mavericks.  I'm not sure if this is a Mavericks error, or a fact that now I have multiple app projects.  Particularly odd is that DIFFERENT-BUNDLE-FROM-OTHER-PROJECT in error (2) is not the same bundle name as the current project's bundle.
  Would love any help you can provide!  Thank you!

  Seen this thread?
  New codesign behavior, --deep option 
  "Code signing has some interesting changes in Mavericks (that apparently haven't made it into the release notes yet...). Note that this is a change to the operating system, not to the devtools."