Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Difference between Authenticode, SPC and Java CodeSign?

Most CAs are selling code signing certificates in different "products", like Verisign or Certum:

  • Microsoft Authenticode - "Allows you to sign EXE, OCX, DLL, bla..."

  • Java CodeSign - "Allows you to sign Java code"

  • Software Publisher Certificate - "Allows you to sign software"

Well, I am REALLY confused about this. What is the difference between all these products - except the PRICE? I asked Verisign and other CAs a few times since I am curious, but got no answer.

I got a Authenticode certificate from Certum CA. I enrolled it in Internet Explorer, exported it as PKCS#12 PFX and could sign EXE, DLL, ... as promised.

Now... I tried to import this PFX into Java with keytool, then I tried to sign a JAR. And it worked!

And then there is the mysterious "Software Publisher certificate" as product. I don't know what I can/should sign with that... Mac? Linux? Isn't "Microsoft Authenticode" a Software publisher certificate too? Isn't a EXE "software"? That really confuses me.

So, my question is now: When I have ordered a Microsoft Authenticode cert, is it then illegal to use it to sign e.g. JAR files or if possible any other content? There seems to be no technical difference between these certificates. All of those products should have the same codesigning EKU-OID "1.3.6.1.5.5.7.3.3", which does not make any differences between EXE, JAR, Adobe Air and what the hell also exists around there. So, if all "CodeSigning" certificates are technically equal, why do I have to decide then if I want to be a "Java Developer" or "Windows Developer" or "Software Developer"?

Maybe there are still differences in the certificate? Maybe I get not enough rights in JARs when I use Authenticode-certs for signing?

(PS: I do not use my software commercially!)

like image 401
Daniel Marschall Avatar asked Sep 07 '10 01:09

Daniel Marschall


2 Answers

There is no technical difference as you guessed. With the proper tool chain a certificate for signing Java applications can be used to sign Windows executables.

See for example Jsign, a tool for signing Windows executables using a Java keystore or a standard PKCS#12 keystore.

like image 189
Emmanuel Bourg Avatar answered Nov 08 '22 12:11

Emmanuel Bourg


I wrote a short article about converting a java certificate and using it for Authenticode. You can find it here: http://blog.botha.us/sarel/?p=21

We have been doing this for years without any negative consequence.

like image 1
Sarel Botha Avatar answered Nov 08 '22 10:11

Sarel Botha