• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Liutauras Vilda
  • Paul Clapham
Sheriffs:
  • paul wheaton
  • Tim Cooke
  • Henry Wong
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Piet Souris
Bartenders:
  • Mike London

code signing - a few questions

 
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,

I am working on an application (and applet) that needs to be signed (not just self-signed). I am looking at using GoDaddy.

Unlike most things in Java world, with code signing it does not seem to be easy to test things without putting out the cash first. So, I would like to ask some quick questions.

[1] for java signing, I imagine you can use any computer to sign the code (ie it does not need to be signed on the computer that is the webserver). Correct?

[2] Is there any relationship between the computer I use to sign the code and the signed code itself. For example, lets say I buy a code signing cert from godaddy, but then I change my development computer. Can I still use that same cert on a different comptuer, or is it somehow "linked" to the computer that is used? In other words, if my dev machine crashes, will I need to buy a new cert from GoDaddy (or wherever).

[3] Has anyone used GoDaddy for code signing. Are there any gotchas?

[4] I assume that once a code is properly signed, it should work on any platform with a proper JVM... correct?

Anyway, just thought I would ask these questions before I put out the cash with GoDaddy.

Thanks,

-Adam
 
Ranch Hand
Posts: 15304
6
Mac OS X IntelliJ IDE Chrome
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
[1] Yes, you can use a self-signed cert created from your computer. Technically, you can put this in production and it will work. But since it is your cert, people might be reluctant to trust it.

[2] I'm about 85% sure the answer to this question is you can use the same cert. It's been several years since I've had to do anything with applet signing in production.

[3] No, I didn't. The company I worked for bought the cert and I dont remember who from

[4] Correct.
 
Master Rancher
Posts: 43045
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Agree with Gregg. As to #2, yes - the certificate is portable, so it doesn't matter on which machine it's used.

Note that there are different classes of certificates, though, e.g. certificates that are meant to be used for SSL are bound to a specific server name - needless to say, that's not what you want.
 
Marshal
Posts: 27531
88
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
[2] Yes, when my company bought the Verisign certificate, I signed the applet on my development machine and deployed it to the web server. No problems.

[3] I didn't even know that GoDaddy was in the certificate business. Anyway if it is, the gotcha would be that the customer's browsers might not recognize their certificates as trusted. Browsers are shipped with code to recognize certificates from the well-known trust-sellers like Verisign and Thawte but not necessarily others. Perhaps GoDaddy has a sample applet which they can demonstrate their certificates with.
 
Ulf Dittmer
Master Rancher
Posts: 43045
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Paul Clapham wrote:the gotcha would be that the customer's browsers might not recognize their certificates as trusted. Browsers are shipped with code to recognize certificates from the well-known trust-sellers like Verisign and Thawte but not necessarily others.


Actually, these days the standard browsers ship with certificates from lots of providers - my Firefox has dozens of them, including GoDaddy. You can view them via Preferences -> Advanced -> Encryption -> View Certificates. (My list had several outdated certificates, and some by providers I considered suspect, so I deleted those.)

According to http://en.wikipedia.org/wiki/Certificate_authority#Providers, GoDaddy actually has a market share of >20%.
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
reply
    Bookmark Topic Watch Topic
  • New Topic