File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Signing a CAB file Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of OCM Java EE 6 Enterprise Architect Exam Guide this week in the OCMJEA forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "Signing a CAB file" Watch "Signing a CAB file" New topic
Author

Signing a CAB file

Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
I have the undelightful privilege to sign a CAB file (for an applet) using the signcode.exe utility and I'm experiencing problems.

What I've got is
- A file named "mycredentials.spc"
- A file named "myprivatekey.pvk"
- A keystore file
- The password for the keystore file

Now, if I run the following command from command-prompt, it works out just fine except for one thing -- it pops up a dialog prompting me for the password. This is exactly what I don't want to do since the automated build script this signing thing is supposed to be part of can't handle popups (no humans involved...).


Now, if there really is no way to tell signcode.exe the password using command-line parameters, how do I "install" the signing certificate into my Windows Registry? I've Googled and Googled but I haven't been able to get the registry thing working. Here's the command I should use if only I knew the "Key container name" marked with "XXXXX-XXXXX-XXXXX-XXXXX" (I assume it's the registry key for something):


I'd really, really like to get rid of this problem and will appreciate any help I can get.

Thanks.


Author of Test Driven (2007) and Effective Unit Testing (2013) [Blog] [HowToAskQuestionsOnJavaRanch]
Balaji Loganathan
author and deputy
Bartender

Joined: Jul 13, 2001
Posts: 3150
Originally posted by Lasse Koskela:
Now, if I run the following command from command-prompt, it works out just fine except for one thing -- it pops up a dialog prompting me for the password.


Is your certificate created in such a way that "prompt for password while using the private key from this PC" ?
Where does this signcode utility comes from ? from windows os ?

The command prompt from .Net SDK got a new signcode wizard( a code signing tool with digital certificate), will that help for applet ?

Did you read this link http://support.microsoft.com/default.aspx?scid=kb;EN-US;193877 or similar ?


Spritle Software Blogs
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16020
    
  20

Icky, icky, icky. AFAIK, "cab" java files are only applicable to clients running windows using Microsoft's VM. Later versions of Windows released without the MS VM or applets using Swing (or other post Java 1.02 classes) would have to have the Sun Java Plugin, which would use signed jars, instead.

The "XXXX" stuff looks like it's probably a GUID, and would be generally created using Microsoft's GUID gen tool, unless you have a pre-assigned vendor ID (which even MS seems to avoid using at times). The GUID is a long nasty hash value that's supposed to virtually ensure that an applet requesting an object cataloged under that guid will get the expected resource and no other.

Beyond that, all I can recommend is to check out MSDN, since only Microsoft does it this way.


Customer surveys are for companies who didn't pay proper attention to begin with.
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
Thanks Balaji and Tim,

Originally posted by Balaji Loganathan:
Is your certificate created in such a way that "prompt for password while using the private key from this PC" ?
I have no idea. I just have the file and I wasn't even near this place when it was created way back when. Which tool should I use to create a certificate so that I can choose whether to prompt for the password or not?

Originally posted by Balaji Loganathan:
Where does this signcode utility comes from ? from windows os ?
Again, I have no idea. Right now, it comes from our version control. I can't get a version out of it so all I can say is that it's the same "signcode.exe" that all those MSDN pages are talking about.

Originally posted by Balaji Loganathan:
The command prompt from .Net SDK got a new signcode wizard( a code signing tool with digital certificate), will that help for applet ?
Hmm. I'll have to see if it would have new command-line options.

Originally posted by Balaji Loganathan:
Did you read this link http://support.microsoft.com/default.aspx?scid=kb;EN-US;193877 or similar ?
Yes. I've read probably a hundred MSDN help pages but none of them has helped me so far.
Lasse Koskela
author
Sheriff

Joined: Jan 23, 2002
Posts: 11962
    
    5
Originally posted by Tim Holloway:
Icky, icky, icky. AFAIK, "cab" java files are only applicable to clients running windows using Microsoft's VM. Later versions of Windows released without the MS VM or applets using Swing (or other post Java 1.02 classes) would have to have the Sun Java Plugin, which would use signed jars, instead.
Yes, I know. We have a JAR version of the applet and have no trouble signing it. Unfortunately, we're forced to support also clients who need the applet in CAB format.

Originally posted by Tim Holloway:
The "XXXX" stuff looks like it's probably a GUID, and would be generally created using Microsoft's GUID gen tool, unless you have a pre-assigned vendor ID (which even MS seems to avoid using at times). The GUID is a long nasty hash value that's supposed to virtually ensure that an applet requesting an object cataloged under that guid will get the expected resource and no other.

I have one such value that the build script has been using. The problem is that since the old build machine is now used for something different, the signing has stopped from working -- apparently because this particular GUID can't be found from somewhere on the new build machine.
Balaji Loganathan
author and deputy
Bartender

Joined: Jul 13, 2001
Posts: 3150
Lasse,
I get this certificate from a new office tool called Infopath,but this link might help you makecertexe.asp and 206637

When I double click the certificate with the extensions .p12 or .pfx, it will prompt me to install the certificate, then it will prompt me to include the password for every call or not, provided i have the privtae key for that certificate. Not sure whether it will help you for your context.
But give a try on .Net SDK command prompt.
[ September 02, 2004: Message edited by: Balaji Loganathan ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Signing a CAB file