Signing Java desktop application

Question

I made a Java desktop application using Swing (myProg.jar). I currently package my application as .app for my Mac users, and I use InnoSetup to make a setup.exe file for my Windows users. I also provide a myProg.exe wrapper to launch myProg.jar.

Now, to get rid of SmartScreen and other protections from my users computers, I think that I need to sign my application. But the more I read about it, the more confusing it seems to me.

Can anyone clarify some of the following points for me?

1) What kind of certificate do I need exactly? Is there anyway to make it free or at least cheap?

2) What do I need to sign exactly? Should I sign the myProg.jar file, the .app file? The setup.exe? The myProg.exe wrapper? All of them?

3) Solved - How will it work when I will update my program and replace myProg.jar by a new version of myProg.jar?

Thanks a lot!

Answer 1

Your JDK should include tool called jarsigner. This tool lets you sign jar files for free.

1) The key you are using for signature need to be in java keystore (default .keystore) You can import keys to your keystore from .der format.

2) You can only sign .jar files

3) It will just overwrite old file with new signed one. Just like simple copy. No signature verification will be performed, unless your installer does so.

Furthermore not every signature is the same. If you are for example trying to register crypto provider, then the signature signed by Oracle will be necessary to run it on Oracle JVM. see: https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step6

example:

To generate key:

keytool -genkey -keyalg RSA -alias key_alias -keystore mystore.keystore -keysize 2048

To sign jar:

jarsigner -keystore mystore.keystore -tsa http://tsa.safecreative.org MyJARFile.jar key_alias_from_keystore

To verify the signature:

jarsigner -verify jar-file

I'm not sure this will solve our problem. Overall what you need to do is the sign os executable. In this case .exe and .app

A possible solution is to sign the executable of your app wrapper(in case of windows .exe). To do so, see: https://msdn.microsoft.com/en-us/library/aa387764.aspx

In you are using Unix based system I would try to run Mono's sign tool. see mono doc on "signcode" (I can not provide link, not enough rep)

This should get rid of "Unknown Publisher" message, but unless you can get OS developer to sign your certificate some message will be shown to the user.