Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Difference between Authenticode, SPC and Java CodeSign?

Tags:

java

security

windows

certificate

pki

Most CAs are selling code signing certificates in different "products", like Verisign or Certum:

  • Microsoft Authenticode - "Allows you to sign EXE, OCX, DLL, bla..."

  • Java CodeSign - "Allows you to sign Java code"

  • Software Publisher Certificate - "Allows you to sign software"

Well, I am REALLY confused about this. What is the difference between all these products - except the PRICE? I asked Verisign and other CAs a few times since I am curious, but got no answer.

I got a Authenticode certificate from Certum CA. I enrolled it in Internet Explorer, exported it as PKCS#12 PFX and could sign EXE, DLL, ... as promised.

Now... I tried to import this PFX into Java with keytool, then I tried to sign a JAR. And it worked!

And then there is the mysterious "Software Publisher certificate" as product. I don't know what I can/should sign with that... Mac? Linux? Isn't "Microsoft Authenticode" a Software publisher certificate too? Isn't a EXE "software"? That really confuses me.

So, my question is now: When I have ordered a Microsoft Authenticode cert, is it then illegal to use it to sign e.g. JAR files or if possible any other content? There seems to be no technical difference between these certificates. All of those products should have the same codesigning EKU-OID "1.3.6.1.5.5.7.3.3", which does not make any differences between EXE, JAR, Adobe Air and what the hell also exists around there. So, if all "CodeSigning" certificates are technically equal, why do I have to decide then if I want to be a "Java Developer" or "Windows Developer" or "Software Developer"?

Maybe there are still differences in the certificate? Maybe I get not enough rights in JARs when I use Authenticode-certs for signing?

(PS: I do not use my software commercially!)

like image 401
Daniel Marschall Avatar asked Sep 07 '10 01:09

Daniel Marschall

2 Answers

There is no technical difference as you guessed. With the proper tool chain a certificate for signing Java applications can be used to sign Windows executables.

See for example Jsign, a tool for signing Windows executables using a Java keystore or a standard PKCS#12 keystore.

like image 189
Emmanuel Bourg Avatar answered Nov 08 '22 12:11

Emmanuel Bourg

I wrote a short article about converting a java certificate and using it for Authenticode. You can find it here: http://blog.botha.us/sarel/?p=21

We have been doing this for years without any negative consequence.

like image 1
Sarel Botha Avatar answered Nov 08 '22 10:11

Sarel Botha
Sign in to Comment

Related questions

JPA @TableGenerator shared between multiple entities
Checking if a row appears on screen before force scrolling to it?
Ignoring "Content is not allowed in trailing section" SAXException
Global Exception Handlers in Java
Sorting an XML in Java
task strategies for handling HardDeadlineExceededError
Java, Design pattern : Multiple event sources and One event Handler
Invoking C++ code from Java (GCJ)
Execute a default task in ANT in case of failure
How to enable Hibernate Interceptor when i have my Hibernate Transaction managed by Spring?
Calling next value of a sequence in jpa
How to get Hudson to show complete selenium report?
Hibernate second level cache and ON DELETE CASCADE in database schema
Side-effect free methods in the Java Standard Library
Java socket not throwing exceptions on a dead socket?
Is there an opensource java library to interface to an image scanner?
Call Java servlet from Android
JSP in OSGi: How to load TLD from bundles?
Why are string identifiers used to access resource data?
Problem using the nextLine() and hasNextLine() methods of Scanner

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!