This week's book giveaway is in the Java 8 forum.
We're giving away four copies of Java 8 in Action and have Raoul-Gabriel Urma, Mario Fusco, and Alan Mycroft on-line!
See this thread for details.
The moose likes Java in General and the fly likes code signing - a few questions Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Java 8 in Action this week in the Java 8 forum!
JavaRanch » Java Forums » Java » Java in General
Bookmark "code signing - a few questions" Watch "code signing - a few questions" New topic
Author

code signing - a few questions

adam spline
Greenhorn

Joined: Sep 29, 2010
Posts: 18
Hi all,

I am working on an application (and applet) that needs to be signed (not just self-signed). I am looking at using GoDaddy.

Unlike most things in Java world, with code signing it does not seem to be easy to test things without putting out the cash first. So, I would like to ask some quick questions.

[1] for java signing, I imagine you can use any computer to sign the code (ie it does not need to be signed on the computer that is the webserver). Correct?

[2] Is there any relationship between the computer I use to sign the code and the signed code itself. For example, lets say I buy a code signing cert from godaddy, but then I change my development computer. Can I still use that same cert on a different comptuer, or is it somehow "linked" to the computer that is used? In other words, if my dev machine crashes, will I need to buy a new cert from GoDaddy (or wherever).

[3] Has anyone used GoDaddy for code signing. Are there any gotchas?

[4] I assume that once a code is properly signed, it should work on any platform with a proper JVM... correct?

Anyway, just thought I would ask these questions before I put out the cash with GoDaddy.

Thanks,

-Adam
Gregg Bolinger
GenRocket Founder
Ranch Hand

Joined: Jul 11, 2001
Posts: 15292
    
    6

[1] Yes, you can use a self-signed cert created from your computer. Technically, you can put this in production and it will work. But since it is your cert, people might be reluctant to trust it.

[2] I'm about 85% sure the answer to this question is you can use the same cert. It's been several years since I've had to do anything with applet signing in production.

[3] No, I didn't. The company I worked for bought the cert and I dont remember who from

[4] Correct.


GenRocket - Experts at Building Test Data
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39576
    
  27
Agree with Gregg. As to #2, yes - the certificate is portable, so it doesn't matter on which machine it's used.

Note that there are different classes of certificates, though, e.g. certificates that are meant to be used for SSL are bound to a specific server name - needless to say, that's not what you want.


Ping & DNS - updated with new look and Ping home screen widget
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18154
    
    8

[2] Yes, when my company bought the Verisign certificate, I signed the applet on my development machine and deployed it to the web server. No problems.

[3] I didn't even know that GoDaddy was in the certificate business. Anyway if it is, the gotcha would be that the customer's browsers might not recognize their certificates as trusted. Browsers are shipped with code to recognize certificates from the well-known trust-sellers like Verisign and Thawte but not necessarily others. Perhaps GoDaddy has a sample applet which they can demonstrate their certificates with.
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 39576
    
  27
Paul Clapham wrote:the gotcha would be that the customer's browsers might not recognize their certificates as trusted. Browsers are shipped with code to recognize certificates from the well-known trust-sellers like Verisign and Thawte but not necessarily others.

Actually, these days the standard browsers ship with certificates from lots of providers - my Firefox has dozens of them, including GoDaddy. You can view them via Preferences -> Advanced -> Encryption -> View Certificates. (My list had several outdated certificates, and some by providers I considered suspect, so I deleted those.)

According to http://en.wikipedia.org/wiki/Certificate_authority#Providers, GoDaddy actually has a market share of >20%.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: code signing - a few questions
 
Similar Threads
Root Certificate
Basic Authenication with SSL?
Signing applets
Questions about email encryption and signing with S/MIME
Signing applets