Regarding Code signing to my jar

Similar Messages

• How to use Java code signing certificate in oracle 11i

  Hello,
  I am try to configure java code signing certificate in 11.5.10.2 application. we got java sign certificate from verisgin. SA's imported the certificate and created alias XXX_XXX with password and passphrase.
  I am able to see the my certificate. keytool -list -v -keystore xxx_xxxx.jks -storepass Password.
  how do I use it. I am using Enhance Jar Signing for EBS DOC ID 1591073.1.
  could you please give me some advice on it?
  Thanks
  Prince

  Hussien,
  I find out apps keystore keypassword and storepassword, I imported the java code sign certificate. I generated Jar files through adadmin, but I am getting  warning error
  adogif() unable to generate Jar Filers under JAVA_TOP.
  executing /usr/jdk/jdk1.6.0_45/bin/java sun.security.tools.JarSigner keysotre **** -sigfile CUST Signer /apps/......
  Error JarSigner subcommand Exited With status 1.
  No standard output from jarsigner JarSigner error output: Exception in thread "main" java.lang.NoClassDefFoundError: sun/security/tools/JarSigner Caused by: java.lang.ClassNotFoundException: sun.security.tools.JarSigner         at java.net.URLClassLoader$1.run(URLClassLoader.java:202)         at java.security.AccessController.doPrivileged(Native Method)         at java.net.URLClassLoader.findClass(URLClassLoader.java:190)         at java.lang.ClassLoader.loadClass(ClassLoader.java:306)         at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)         at java.lang.ClassLoader.loadClass(ClassLoader.java:247) Could not find the main class: sun.security.tools.JarSigner.  Program will exit. WARNING: The following path(s), defined in /apps2/property/product/tst/appl/cz/11.5.0/java/make/czjar.dep as elements of the output:   oracle/apps/cz/runtime/tag WARNING: Copying cztag.lst from the old fndlist.jar ...   About to Analyze flmkbn.jar : Fri Nov 22 2013 10:45:51
  Please let me know if you have any idea. Thanks Prince

• Could not verify signing in patched jar

  I have encountered a strange bug in JWS verification of the signing of a resource updated via a jardiff patch.
  We have a jar resource where the only change is the contents of a text file, and when the webstart client downloads the patch created by the jnlp-servlet, it reports:
  Could not verify signing in resource: (http://oas-psolis-test.health.wa.gov.au:9002/PSOLIS-SwingApp-TES/PSOLIS-GUI-graphics.jar, 1.2)
  The wrapped exception is:
  java.lang.SecurityException: SHA1 digest error for Themes/DESERT.properties
  at sun.security.util.ManifestEntryVerifier.verify(ManifestEntryVerifier.java:191)
  at java.util.jar.JarVerifier.processEntry(JarVerifier.java:207)
  at java.util.jar.JarVerifier.update(JarVerifier.java:194)
  at java.util.jar.JarVerifier$VerifierStream.read(JarVerifier.java:380)
  at com.sun.javaws.security.SigningInfo.checkSigning(Unknown Source)
  at com.sun.javaws.cache.DownloadProtocol$RetrieveAction.actionDownload(Unknown Source)
  at com.sun.javaws.cache.DownloadProtocol.doDownload(Unknown Source)
  at com.sun.javaws.cache.DownloadProtocol.getResource(Unknown Source)
  at com.sun.javaws.LaunchDownload.downloadJarFiles(Unknown Source)
  at com.sun.javaws.LaunchDownload.downloadEagerorAll(Unknown Source)
  at com.sun.javaws.Launcher.downloadResources(Unknown Source)
  at com.sun.javaws.Launcher.handleApplicationDesc(Unknown Source)
  at com.sun.javaws.Launcher.handleLaunchFile(Unknown Source)
  at com.sun.javaws.Launcher.run(Unknown Source)
  at java.lang.Thread.run(Thread.java:536)
  v1.2 is the new version of the jar in question (PSOLIS-GUI-graphics.jar). DESERT.properties is NOT the changed text file, but rather another text file which has not changed (ie: being used from the v1.1 previously downloaded).
  The patch jar contains an essentially empty index.jd file, with just the line:
  version 1.0
  As you can tell from the above, no resources have been renamed, just one text/properties file has different contents (so this is not immediately obviously <http://developer.java.sun.com/developer/bugParade/bugs/4474211.html> - but regarding 4474211, how does one enable the -nonminimal switch to jardiff from the JNLP servlet?).
  Nor is it obvious that this is an instance of bug 4739089 <http://developer.java.sun.com/developer/bugParade/bugs/4739089.html>
  As you would expect, the patch jar file also contains the modified text file, plus the manifest.mf and the signing data files.
  If I delete the webstart cache first the application downloads and runs fine (which proves there is nothing wrong with the signing in this jar). Another workaround is not to include the base/old version (v1.1) of the jar in the war.
  Both these workarounds are impractical - I can't get all the users to delete their webstart caches on each new version (of which we have many (both users and version releases)), and my build/deploy process automatically creates versioned jars (based on whether any source files have changed), I would need to modify my process to never provide diffs for this very large jar (and perhaps, any of my jars?), and hence lose jardiffing benefits altogether (I just spent a long time developing this build process to automate versioned jars for webstart!)
  These jar files are never altered once created, and the signing is the last stage of creating the jar files (though as I mentioned above, that the signatures are fine is demonstrated by both workarounds, it is only the patching which causes the issue).
  We have reproduced this problem using both JWS v1.4.1 clients and JWS v1.0.1 (from JRE v1.4.0) client - our users use the latter as they require support for Windows 95, sigh.
  While I have a copy of a v1.4.1 cache in a state from which I can reproduce the error, I haven't managed to get a case where I can clear the cache, deploy version A, download it, deploy version B and download it to reproduce the error. This means that I haven't got a process to setup a test of v1.4.2_02 of JWS.
  I am using the jnlp-servlet.jar from the "JNLP Developers Pack v1.2 FCS".
  Has anyone else encountered a similar problem, or know of a solution (which works with the 1.0.1 JWS client for long suffering 95 users)?
  An interesting side-note for OC4J standalone users - when oc4j expands the EAR (and its component WAR files) under the j2ee/home/applications directory, it does not clear out the old contents from any previous deployment of the same application (name) - I modified my deploy to not include previous jar versions, and yet the client was still patching - because the old jar file versions were left there by oc4j, joy!

  Even I am facing a similar kind of problem. When webstart is downloading JRE_1.4.2_02.jar, I am getting the following error the very time itself.
  java.lang.SecurityException: SHA1 digest error for jre.jar
       at sun.security.util.ManifestEntryVerifier.verify(Unknown Source)
       at java.util.jar.JarVerifier.processEntry(Unknown Source)
       at java.util.jar.JarVerifier.update(Unknown Source)
       at java.util.jar.JarVerifier$VerifierStream.read(Unknown Source)
       at com.sun.javaws.security.SigningInfo.checkSigning(Unknown Source)
       at com.sun.javaws.cache.DownloadProtocol$RetrieveAction.actionDownload(Unknown Source)
       at com.sun.javaws.cache.DownloadProtocol.doDownload(Unknown Source)
       at com.sun.javaws.cache.DownloadProtocol.getResource(Unknown Source)
       at com.sun.javaws.LaunchDownload.downloadJarFiles(Unknown Source)
       at com.sun.javaws.LaunchDownload.downloadEagerorAll(Unknown Source)
       at com.sun.javaws.Launcher.downloadResources(Unknown Source)
       at com.sun.javaws.Launcher.handleApplicationDesc(Unknown Source)
       at com.sun.javaws.Launcher.handleLaunchFile(Unknown Source)
       at com.sun.javaws.Launcher.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
  JRE_1.4.2_02.jar is a signed and verified jar that contains jre.jar. This is being downloaded on to the client for the first time. Webstart version used is 1.0.1. Can any tell me what may be the problem?

• Third party CA and SCUP code signing

  All of the documentation I have seen out there regarding using a code signing certificate with SCUP assumes you are using AD CS. My institution uses a 3rd party CA and I requested a code signing certificate from them (the file had no file name extension,
  FWIW). I imported it into the local computer certificate store (on SCUP server/CAS) and see four entries:
  The blocked out item is our company name.
  Here is what I have done:
  I have exported the one with our company name as as the .cer file for clients, and placed it in the Trusted Publishers and Trusted Root Certificate Authorities stores on the SCUP server/CAS.
  I have exported various combinations of the 4 to generate the *.pfx file and imported it into SCUP but it always gives me an error when I try to publish an update. I initially exported all 4 certificates to get my .pfx, then tried just the ones with the
  purpose of "code signing." In both cases I get an error stating "Signature verification exception during publish, verify the WSUS certificates and advanced timestamp setting are properly configured."
  I am not getting an option to export the private key no matter what combo I choose. This is the biggest red flag I am seeing.
  Does anyone have any experience in this scenario? I am at a loss at this point. The server is 2008 R2 and I know I could use a self-signed one but I thought I would do it the "right" way since it is no longer supported.

  It turns out that after the code signing certificate was downloaded, the private key was somehow lost or damaged or not associated with it in the first place. That is why I was not seeing the option to export the key. We needed to use certutil to repair
  the key association.
  I suspect this is because the request was made from a web form and handled by the 3rd party CA as opposed to being done with certreq. Am I off base?
  Anyway, running this command on the code signed certificate allowed me to export it as needed for SCUP:
  certutil -repairstore my "SerialNumberofCert"
  There are some how tos here:
  http://support.microsoft.com/kb/889651
  http://blogs.msmvps.com/ivansanders/2011/07/26/restoring-a-certificates-private-key-without-the-certreq/

• Code-signing

  We are having some issues with our C Sharp .NET 4 Application
  We are using Visual Studio 2010 to build a Click Once Installation
  In addition, we use our code-signing certificate (.pfx) to sign the package
  However when attempting to install the application it is blocked by
  Windows 8 Smart Screen with an “unknown Publisher” message.
  We sign our package twice once on the actual files and afterward
  The manifest is resigned.

  Hi Rene,
  >>“unknown Publisher” .
  Please check whether you sign file in the correct directory.
  Reference:
  http://stackoverflow.com/questions/10392201/clickonce-de-signs-our-executable-and-says-unknown-publisher?rq=1
  A document shared us the detailed steps for "Certificate Expiration in ClickOnce Deployment".
  http://msdn.microsoft.com/en-us/library/ff369721.aspx
  In addition, since this issue is related to the Clickonce, I suggest you post a new case in this forum:
  http://social.msdn.microsoft.com/Forums/windows/en-US/home?forum=winformssetup , and there you would get dedicated support.
  Best Regards,
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place. <br/> Click <a
  href="http://support.microsoft.com/common/survey.aspx?showpage=1&scid=sw%3Ben%3B3559&theme=tech"> HERE</a> to participate the survey.

• InCommon Code Signing Cert not working in Profile Manager

  We acquired a Code Signing Certificate from InCommon for signing profiles, and it doesn't want to work with Profile Manager.
  In the Certificates section we have our working SSL cert for the web server, and self-signed SSL and Code Signing certs.
  When I try to import the p7s file it lists four non-identity certificates and then says that it can't be used as a code signing certificate. 
  Has anyone ever managed to get an InCommon code signing cert to work with OSX Server?

  Hello,
  In RFC SAP-OSS, i maintained my S-user id and its password.
  As already told my router connectivity and   SAPOSS rfc working fine.
  regards
  Vinayag.K.C

• ERROR ITMS-9000: Missing Code Signing Entitlements when adding app to Apple App Store

  My client is getting the following error when sending my app (compiled in Flash Pro CC 2014 with AIR SDK 15.0.0.356) to the Apple app store:
  ERROR ITMS-9000: "Missing Code Signing Entitlements. No entitlements found in bundle
  'com.xxxxxx.xx.xxx' for excutable 'payload/xxxxx.app./xxxx'.""
  He is saying that I need to send them the entitlements file.
  I can't find out any information about this with regards to Adobe Air compiled iOS apps, apart from this old post:
  Adding iOS entitlements to AIR apps
  which states that 'the packager configures the entitlements file '
  Can anyone explain what might be missing here?
  Thanks,
  Alan.

  It looks as if this problem is solved by doing step 2 from here:
  http://dev.mlsdigital.net/posts/how-to-resign-an-ios-app-from-external-developers/
  It basically states that the client needs to produce the entitlements file and lists the following that the client will provide themselves:
  A “Mobile Provisioning Profile”
  An “Entitlements.plist”
  An “iOS Distribution Certificate”
  iReSign OS X app (or you could use command line)
  Hope this helps someone. We've run into quite a few problems trying to get the Flash Air compiled App to both enterprise and Apple Store as it can't come from us (the developers) it has to be signed and delivered from the client.

• No option in project info window for code signing Provising profile.

  Dear Developer forum,
  I have one issue wth my application regarding provisional Profile.
  I have installed Distribution certificate.After that I have entered all information regarding distribution provisional profile in program portal
  I have got provisional certificate from portal.I have installed it
  And I have also seen its entry in home/library/mobiledevices/.
  But Now problem is arising at place when I am opening my project or target info window on that time in BUild->code signing option, I have only code signing endity but no code signing provisioning profile.
  where I can give my distribution provising profile name
  So anybody tell me howz it come????
  Thanks

  Looking at this page:
  http://developer.apple.com/iphone/manage/distribution/index.action
  Make sure that you've done all the steps... "Generating a Certificate Signing Request", "Submitting a Certificate Signing Request for Approval", "Downloading and Installing iPhone Distribution Certificates", "Create and download your iphone distribution provisioning profile"...
  When I went through this process, I think I forgot to do the step "Downloading and Installing iPhone Distribution Certificates"... (skipping straight to "create and download your iphone disbritution profile") as a result the provisioning profile name wasn't appearing for me to select... When I completed that step, then the provisioning profile name appeared...
  Message was edited by: iphonemediaman

• Differences between SSL and Code-Signing Certificates

  Hello,
  I unsuccessfully tried to use a SSL - certificate for signing an applet (converting from X.509 to PKCS12 prior to signing) and learned, that SSL certificates and code-signing certificates are different things (after seeking the web for ours). Can somebody point out some source of information about this topic ? What are these differences ? Can I convert my SSL certificate into a code-signing certificate ?
  Things got even more confusing for me, since my first attempt with an wrongly converted SSL cetificate (I used my public and private key for conversion only, omitting the complete chain) at least worked partly: the certificate was accepted, but marked as coming from some untrustworthy organisation. After making a correct conversion (with the complete chain) the java plugin rejected the certificate completely ...
  Ulf

  yep, looks like it.
  keytool can be used with v3 x509 stores:
  Using keytool, it is possible to display, import, and export X.509 v1, v2, and v3 certificates stored as files, and to generate new self-signed v1 certificates. For examples, see the "EXAMPLES" section of the keytool documentation ( for Solaris ) ( for Windows ).
  jarsigner needs a keystore so I would assume public and private key pair.
  you could list the keys from your store:
  C:\temp>keytool -list -keystore serverkeys.key
  Enter keystore password: storepass
  Keystore type: jks
  Keystore provider: SUN
  Your keystore contains 2 entries
  client, Jul 5, 2005, trustedCertEntry,
  Certificate fingerprint (MD5): 13:50:77:64:94:36:2E:18:00:4B:90:65:D0:26:22:C8
  server, Jul 5, 2005, keyEntry,
  Certificate fingerprint (MD5): 20:90:49:6F:46:BA:AB:11:75:39:9F:6F:29:1F:AB:58
  The server is the private key, this can be used with jarsigner (alias option).
  C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
  -signedjar sTest.jar test.jar client
  jarsigner: Certificate chain not found for: client. client must reference a val
  id KeyStore key entry containing a private key and corresponding public key cert
  ificate chain.
  C:\temp>jarsigner -keystore serverkeys.key -storepass storepass -keypass keypass
  -signedjar sTest.jar test.jar server

• Code Signing certificate expired

  Hello,
  I please need an information about SGDEE 4.1 login applet: it seems
  applet code signing certificate was expired on September 2, 2005.
  I have no problem (after I deleted all expired root certificates from
  local client repository) with Internet Explorer 6SP1, but Mozilla Firefox
  always prompt me a warning with this contents:
  Serial:     
  [62374265099632433790334794162326322759]
  Issuer:
  N=VeriSign Class 3 Code Signing 2001 CA,
  OU=Terms of use at https://www.verisign.com/rpa (c)01,
  OU=VeriSign Trust Network,
  O="VeriSign, Inc."
  Valid From: Wed Sep 01 02:00:00 CEST 2004,
  To: Fri Sep 02 01:59:59 CEST 2005
  Subject:
  CN="Tarantella, Inc.",
  OU=Digital ID Class 3 - Netscape Object Signing,
  O="Tarantella, Inc.",
  L=Santa Cruz,
  ST=California,
  C=US
  Thank you very much in advance,
  Best Regards,
  Valerio Morozzo

  I know this is an older post, but it helped me find out how to make the migration procedure for native installer. I tried it with self signed certificate created by ADT tool and everything went fine.
  But now, we obtained a commercial AIR signing certificate from Thawte and the process failes in step 3) ADT saying
  'Certificate in PATH_TO_P12 could not be used to sign setup.msi' on Windows.
  On mac, it says that signing native installer on OSX is not supported, so I skipped the signing option in step 3) and it worked fine.
  I can skip the signing option on Windows as well and the process succeeds, but running the installer on machines with previous versions of application results in "Installer mis-configured' error message - the same error as if the migration process was not applied.
  I already contacted Thawte if it is a certificate issue, reply from them was 'AIR certificate can only sign .air applications'. But when I build a native application directly from FlashBuilder and sign it with the Thawte certificate the whole process seem to succeed. The application can be installed on machines without previous version of the application. Those who already have the older version get the 'Installer mis-configured' error message.
  I want to mark out again, that the same process but with a self signed certificate created with ADT, is successfull and the application can be installer as an update on machines with older version of the app. So I assume the workflow is correct.
  Any ideas? Or somebody having the same issue?
  Thanks

• Code Signing for MacOS 10.8+

  Anyone have a sample build setup for signing the .app file before creating the DMG? How to make this part of the build process?
  I have an Apple developer id, but wondering how to integrate signing in the JavaFX build process (native bundles)

  I have something like this which gives me a signed app bundle (.app). I then manually create a DMG using DMG Canvas.
  <?xml version="1.0" encoding="UTF-8" standalone="no"?>
  <project name="testMacOSXBuild"
                default="default"
             basedir="."
             xmlns:fx="javafx:com.sun.javafx.tools.ant">
      <target name="default">
       <fx:jar destfile="${dist.dir}/${out.jar}">
       </fx:jar>
       <fx:deploy width="${applet.width}"
                    height="${applet.height}"    
                    verbose="true">
       </fx:deploy>
           <!-- code signing. -->
           <exec executable="/bin/bash">
                <arg value="scripts/mac/code_sign.sh"/>
           </exec>
      </target>
  </project>

• Code signing cert error using Digicert - Unable to build a valid certificate chain for the signer

  Steps to fix this error on code signing adobe air using .p12 cert from Digicert - Unable to build a valid certificate chain for the signer
  a. Open Firefox and browse to https://www.digicert.com/digicert-root-certificates.htm
  b. On the middle of the page, download -
  DigiCert Assured ID Code Signing CA-1
  Valid until: 10/Feb/2026
  Serial #: 07:F4:73:6F:AF:EF:40:8A:1F:66:40:F2:65:D1:0A:C1
  Thumbprint: B170A10819BEA936905D719E643399783E1F4567
  Download
  c. Install the cert in Firefox
  d. Once done, export again the code signing cert from digicert, through (click Firefox -> Preferences -> View Certificates -> HIghlight the digicert code signing cert -> click Backup)
  e. Done, the newly exported file should now have the valid certificate chain and that should fix the error "Unable to build a valid certificate chain for the signer"
  Even though this is from Digicert, this should also work for other Certificate Authority providers assuming you download your provider's root cert for code signing.
  Regards,
  Reigner S. Yrastorza

  Are you talking about AIR Help produced by RoboHelp or an AIR application that you are creating?
  If the latter, please see the notice at http://forums.adobe.com/community/robohelp/airhelp
  If you are using RoboHelp, which version?
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• Replacing the Java Code Signing Certificate on the ASA 55xx VPN/Firewall Appliance

  Hi,
  basically I am trying to achieve what's documented in
  http://www.cisco.com/en/US/docs/security/asa/asa80/release/notes/asarn80.html#wp242704
  (using ASDM: "crypto ca import" = Remote Access VPN -> Certificate Management ->  Code Signer -> Import)
  I give it a complete PKCS12 bundle (unencrypted private key + certificates up to the root CA) to the ASA.
  I can indeed verify that it has been imported correctly by exporting it again:
    crypto ca export CodeSignerBundle pkcs12 1234
  It shows me the private key and all the certificates.
  However, the jars used in WebVPN, while carrying the correct certificate, don't have a full certification chain at their disposal:
  Using jarsigner -verify I see on a random file from the jar:
  sm       905 Fri Nov 30 00:00:00 CET 1979 Java/lang/CpUtf8.class
        X.509, CN=COMMONNAME, O=ORGANIZATION, L=LOCATION, ST=STATE, C=COUNTRY
        [certificate is valid from 8/1/13 4:30 PM to 8/1/16 4:30 PM]
        X.509, CN=LuxTrust Qualified CA, O=LuxTrust S.A., C=LU
        [certificate is valid from 6/5/08 11:25 AM to 10/18/16 12:40 PM]
        [CertPath not validated: Path does not chain with any of the trust anchors]
  Indeed the certificate file inside the jar (META-INF/.....RSA) does not contain what I uploaded to the ASA. One of the intermediary certificates is missing (while another certificate is listed twice).
  What could be the problem here? (ASA v8.2(5))
  Thanks for any help,
  Marki

  It may be that a ip address pool is not assigned to the default webvpn group:
  tunnel-group DefaultWEBVPNGroup general-attributes
  address-pool testpool

• ADT error with comodo code signing certificate

  Hello,
  I'm trying to sign an AIR app with a Comodo code signing cert.
  - SHA-256 with RSA Encryption
  - Java 1.8 (same problem with 1.6)
  - AIR 15 (same problem with older versions)
  My command :
  java -jar -Xmx1024m /data/sdk/AIRSDK_Compiler15/lib/adt.jar  -sign -storetype pkcs12 -storepass ******* -keystore cert/air-distrib.p12 bin-release/TestCert.airi bin-release/TestCert.air
  I get the following error :
  Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
      at java.util.Arrays.copyOf(Arrays.java:3181)
      at java.util.ArrayList.grow(ArrayList.java:261)
      at java.util.ArrayList.ensureExplicitCapacity(ArrayList.java:235)
      at java.util.ArrayList.ensureCapacityInternal(ArrayList.java:227)
      at java.util.ArrayList.add(ArrayList.java:458)
      at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2026)
      at java.security.KeyStore.load(KeyStore.java:1433)
      at com.adobe.ucf.UCF.processSigningOptions(UCF.java:313)
      at com.adobe.ucf.UCF.parseSigningOptions(UCF.java:298)
      at com.adobe.air.ADT.parseSign(ADT.java:1589)
      at com.adobe.air.ADT.parseArgsAndGo(ADT.java:598)
      at com.adobe.air.ADT.run(ADT.java:435)
      at com.adobe.air.ADT.main(ADT.java:485)
  When i increase java memory at 8go, java uses 6go and don't stop... (nothing after 20 minutes...)
  Any idea ?
  ADT or cert problem ? Other ?
  Thx.
  Jonas

  Yeah !
  The certificate was generated in firefox...
  Import it into IE and regenerate the certificate fixed the problem
  Jonas

• A PKI Code Signing Certificate question.

  Hello,
  Can someone please help me with the following question.
  I have created and used a code Signing certificate from our Microsoft Enterprise CA before which works OK, but I am not sure I did it correctly, and have a few related questions please.
  what I did.
  1: Logged on the CA directly, went to the CertSvc web site, requested a code signing cert, issued it and exported it along with the private key.
  2: Imported the above certificate into CurrentUser/My store on PC and used it to sign code
  3: Took the came certificate (along with the private key, and this is where perhaps I made at least one mistake) and imported it into the 'Trusted Publishers' store the PC that will be running the signed code. This step was done so the user does not receive
  a message asking if they want to run the code signed by "AAnotherUser" as it were, as although the code is signed by a trusted CA, the user still gets this warning message as the 'Publisher' is not in the 'Trusted Publishers' list. Therefore the
  way I sorted this at the time was to take the whole certificate as above and import to this store.
  The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store? in other words should I have imported the certificate 'minus its
  private key' into the trusted publishers store?
  Also, I understand you have to have the certificate along with is private key to sign code. I am 'assuming' a Hash of the code is taken and this is signed (encrypted) with the private key (in the same way a CA signs a CSR for a WEBServer cert for example),
  is that correct i.e. is that what it mean to sign code?
  if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same value.
  Is this correct?
  My next question is regarding the private key. As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
  if the above is possible (which would make good sense to me I think) then I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me. It would also mean which every computer I logon to in the domain I would
  have access to the private key (but no other user) and therefore be able to sign code I assume. Does this last paragraph make sense can this be done/is this done?
  Basically I need to understand the above, in order to understand more about Crypto.
  I also need create a code signing cert for a 'department' of about 10 people. Therefore I was thinking about creating and AD account called 'XYZCorpCodeSigning' or what ever, and issuing a code singing cert to this entity. If the private key could be stored
  in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure, I think.
  I know there are several question above, but it would be great it they would be answered as I would help me understand more about how it all works and to solve a problem too
  Thanks very much
  AAnotherUser__
  AAnotherUser__

  > The first mistake I made (as far as I can see as I am new to this area) I think I should have not imported the certificate 'along with its private key' into the trusted publishers store
  yes, it is not correct. Only public part should be imported to a Trusted Publishers container.
  >  is that correct i.e. is that what it mean to sign code
  exactly. Encryption with private key and decrypting with public key is called "digital signature".
  > if the above is correct then I assume you only need the 'public' key of the code signed cert in the 'Trusted Publishers Store' to verify the code was signed by a trusted CA and it has not been altered e.g. the Hash code still computes to the same
  value. Is this correct?
  yes. Client uses only public part of the certificate to validate the signature.
  > As I need to 'Login' to AD in order to request a code signing cert, can the 'private key' not be stored securely in AD along with my AD User account?
  normally code signing certificates are not stored in Active Directory and should not be there, because signing certificate is included in the signature field.
  > I do not have to worry about looking after the safety of the private key as the system 'AD' can do this for me.
  this is wrong assumption. A user is responsible to protect signing private key from unauthorized use.
  > If the private key could be stored in AD then accessed used once signed in as this account (these 10 people would need to know the password for the account) this would make life easier/more secure
  wouldn't, because if something happens -- you will never know who compromised the key.
  as a general practice, we recommend to purchase at least few smart cards to store signing keys. Depending on a particular code development practice, there might be a dedicated employee (for example, manager of devs) who the only has access to a smart card
  (and PIN) and signs the code upon dev request. Or issue a dedicated smart card with unique signing certificate to each developer. However this will add a complexity in signing certificate trust management.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.