I have an application that is written in Java and is going to be distributed on Mac OS X, Windows, and Linux. Currently, I am packaging the app for each platform as follows (but I'm willing to change it if an alternative is needed):
Mac OS X: Using Eclipse, go to "File" -> "Export…" and choose Mac OS X Application bundle
Windows: Bundle the jar file into an exe file using Launch4j
Linux: Bundle the jar file into an sh file using Jnix
The trouble is, I'm starting to run into problems with my programs not being trusted. Google Chrome reports that beta versions of my app are not from a trusted source and Windows 8 Smartscreen filter does the same. It's my understanding that the only way to get these security measures to trust my app (which will definitely be necessary if I want to distribute it for real) is to have the app signed. However, I'm finding precious little documentation about how to do this and most of it is for one platform (e.g. this tells me about signing for Windows 8).
My question is: is there a way to sign my Java code once and automatically have the executables I create be signed? Or do I have to sign each executable file separately? If it's the latter, is there one code signing authority that I can use or do I have to get it signed separately with different groups?
With the suggestion from ParrotMac, I wound up doing Digicert's livechat and asked some of these questions to "David". Here is what he had to say (edited for clarity):
Do I authenticate the Java code or the end product executable or both?
You'll want to sign the end product.
Do I purchase one certificate and use it for other platforms or do I purchase them separately?
You can purchase a code signing certificate, download it for a platform of your choice (e.g. Java jar files), then re-key it for another (e.g. authenticode for Windows .exes), if you would like. Re-keying is free and you can re-key your certificate for different platforms as many times as you would like as long as the certificate is valid. When you rekey, it does not invalidate your prior certificate, just enables you to download another one for a different platform. The platform you choose for digicert is just the platform it is initially keyed for.
One of my platform targets is Linux. Is there such thing as Linux code signing? Or is it just for OS X and Windows?
You can use the certificate in Linux, you would just use a different tool to sign it than you would for Windows or OS X.
So there you have it. At least from digicert (and I would presume other code authentication companies) you can buy one certificate and use it for multiple platforms at no charge. You then authenticate your end product; authenticating your raw jar file is unnecessary unless you're distributing it that way.
However, I did find out that if you wanted to get past Windows 8, you have to get more secure code signing.
Would code signing work to get past Windows 8's Smartscreen filter?
You would need the EV Code Signing certificate to get past the Windows 8 Smartscreen filter. The EV does cost more, but mainly due to the extra validation that comes with it. You can do the same thing with the EV as you would with the non-EV certificate.
And for good measure, I asked if a certificate was needed if it was being sent to the Mac OS X App Store or other store.
If I wanted to distribute this cross-platform app in the Mac OS X App Store or other store, do I need a certificate? If so, is it the same certificate?
For stores like Google's Apps store or Mac App Store, you'll need to have your software signed by a trusted certificate. But you would want to view that particular stores requirements to determine exactly what you need.
Related
I'm actually building several installers for my Java apps and also .Net apps using Advanced Installer. Everything works smoothly right until the popup appeared once the installer -run, "Unknown-publisher".
So I google around, and I found out that I need to use the signtool given. And luckily Advanced Installer has that features, but... why is the output-installer.exe still producing 'unknown publisher' as it was earlier? Am I missing something?
Are you using a self-signed certificate (generated by you) or a certificate purchased from a certified vendor? (Thawtee, Comodo, Verisign, etc...)
To have your digital signature recognized on any Windows device you need to buy a certificate from one of the certified vendors. Self-signed (self-generated) certificates will not help you in this case. (Self signed certificates are useful in other scenarios, but to keep this simple I will not go into details now)
If you have the budget, I recommend an EV certificate, it will save you some trouble with Microsoft's SmartScreen system.
Here is a list of code signing certificate vendors Microsoft seems to recommend.
Sorry in advance, there are a lot of questions in this post. I was not able to find much good information on this online so far (maybe I missed the correct search term).
The idea of this post is to migrate Android applications (that can potentially be production level on the Play Store) from Windows 7 to Linux based machines and document it correctly (like I said above I haven't found any good articles about it yet). If I find the solution myself I will post the answer.
Short background: Currently Windows 7 support ends in 2020, looking to move/port production level Android Studio applications to a Linux based system moving the following.
Code for each project.
Moving keystores and other important Android Studio production level files not inside of the project folder.
My main question is what is the best way to do this:
Copy all of the files on an external drive and move them that way?
Use Git to upload the app and redownload on the Linux PC?*
*I understand that Keystores and other non application settings for Android Studio will need to be moved manually with a copy to the external drive since Git generally only loads on the project level.
So far I am looking to see if anyone has experience already with this process and if they have run into any roadblocks or difficulties doing this?
Also what keystore files are necessary to copy? I understand they are in the directory below.
Is the debug.keystore the correct keystore to use for production level keystore applications?
Directory: C:\Users\username\.android
File 1: debug.keystore
File 2: default.keyset
No. The debug.keystore and debug.keyset keystore files shouldn't be used in production, and only in development. If they are missing, they will be generated on your next build, so you won't have to worry about moving them - building the project in Android Studio on your Linux will create these for you.
To generate release keys used in production, please see this.
I provide a java based editor to in internal network of xml editors. Initially it was a plugin, changed to an Applet using jnlp to launch 6 years ago. With the eminent demise of web start I am changing the framework to a desktop Application. The Applet is signed and timestamped as required by all browsers. Once I transition to an installed java application I question whether I need to sign the application jars? The certificate is not cheap and the signing of 30+ jars takes a lot of time. The editor is used on Macs, Windoze and Linux systems. Do I still have to sign it to get it to run? If not what is the downside of not signing, vs the upside to signing?
Desktop java applications don't validate jar signatures. So there is absolutely no benefit to continue signing your jars. Applets are dead (and so is the "sandbox" security model).
Do anyone has bundled a jar file to make an mac os app which is being accepted by app store.
I have converted an inellij generated standalone jar file to macOS native app. It is working fine on my Mac OS after requiring java installation . But as apple require security singing certificates and it deny any third party installations.
So i was looking for some resource to sign my app without xCode. I have already generated and downloaded the certificate for mac app from my developers account but i don't know how to sign my app.
I ll' thankful if someone could help me to find a resource on this matter.
i am using the following apps for bundling and wrapper but it's not working.
for bundling- https://sourceforge.net/projects/jarappmaker/
for wrapper- http://www.ohanaware.com/appwrapper/appWrapper3update387.dmg
It is impossible to sign your app without xCode. Welcome to the world of Apple. Do not pass go, do pay us $100.
myriad java screen captureI have a Java ME application that I need to sign, but I don't know the Certificate Authority (CA) that are supported by the device. I searched and it seems like there is no way to get a list of supported CA from code. I downloaded many signed applications but I wasn't able to install them because the phone does not support the CA they use. I had no luck in contacting the phone manufacturer nor the company that provides the JVM and all the CA want me to pay full price and promise they will give me the money back if their certificate is not supported. The phone I am targeting is a chinese feature phone very popular in India and many other countries. It is running a JVM own by "Myriad". According to my research Esmertec made the JVM then Myriad bought Esmertec. If one of you ever signed a Java ME app that works properly on Esmertec or Myriad Java please provide guidance.