Java Web Start and Code Signing

So Oracle has been steadily tightening the screws on Java security due to all the bad press recently. The latest version of Java suggests that they might block all unsigned applications in the future.  I find this “nanny” approach to running code to be kind of annoying; shouldn’t I decide what code to execute on my own computer?  Anyway, authors of Java Web Start applications need a cheap way to sign code.  Quick searches and StackOverflow suggest a few alternatives.   Here I’ll quickly mention two that I tried.

StartSSL is a small business from Israel that wants to end the protection racket known as “certificate authorities” (CAs).  They charge you a reasonable price for the actual work they do (i.e. validating your identity), then let you create as many types of certificates as you need.  Their SSL certificates are fine, and you can even get those for free.  They advertise code/object signing certificates if you pay for identity validation, and several blog and forum posts indicate that you can use their certificates to sign Java applications.  Their website says nothing to the contrary.  But, unfortunately, you can’t.  Long story short, I paid for identity validation and found out after the fact that StartSSL certificates are not trusted by Java and the company does not support Java code signing (from direct email correspondence). Too bad, I really wanted to like them.  Ugh.

Back to the drawing board.  Comodo offers code signing certificates that are trusted by Java.  They also have a bunch of resellers that sell the certificates at “reasonable” prices (reasonable relative to the “brand name” CAs).  I bought a certificate through KSoftware.  They want a bunch of random stuff after you pay for it, like they want you to update your phone number in some online directory (’cause no identity thief could ever do that?!), but overall it was a fast and good experience.  And most importantly, the KSoftware / Comodo certificate works and is relatively cheap, currently less than $100 per year. Some CAs charge five or six times that much.

The certificate gets magically installed in your browser. (I used Chrome.) You then export the certificate, making sure to “include the private key”, to a .pfx file.  Java’s keytool can convert the .pfx file to a Java keystore:

keytool -importkeystore -srckeystore theCertYouBoughtIncludingPrivateKey.pfx -srcstoretype pkcs12 -destkeystore yourShinyNewJavaKeystore.jks -deststoretype JKS

Then use the jarsigner tool to sign your jar file during your automated build process.  Note that the “alias” in the keystore will be a long string of letters and numbers with hyphens.