Using .pfx file to sign Java jars

Hi,
I recently bought a Comodo code signing (and jar signing) certificate that I wish to use to sign a java jar (for a Java WebStart application). I exported the certificate from the web browser as a .pfx file: “export.pfx”.

I then got the alias from it [& stored along with other certificate details in a .txt file which shows my company’s name correctly and issuer name as “COMODO Code Signing CA 2”] & then I used:
jarsigner -storetype pkcs12 -keystore export.pfx myJar.jar myAlias

This is to sign the jar (myJar.jar) with the cert. (export.pfx) using my certificate’s alias. I was prompted for a password which I entered correctly and the process was completed successfully.
When I verified it using jarsigner -verify -verbose -certs myJar.jar, it showed the jar as being signed along with all the details about the certificate.

However, when I run the jar, the security warning still shows up saying: “Publisher Unknown”. In this warning popup box, when I view “more information” & click on “view certificate details”, a table pops up showing my company’s name as the certificate Issuer name where it should be “CN=COMODO Code Signing CA 2”.
Why is this happening ? Kindly let me know how to rectify this. Thanks.

Hi

Please check out the FAQ knowledge base for code signing certificates:

https://support.comodo.com/index.php?/Default/Knowledgebase/List/Index/7/code-signing

It may have the answers.

Garry

Hi, thanks for the reply. However, I’ve been through the Knowledgebase and from what I can see I have correctly used my PFX for signing the jar file.

I retrieved the alias in a text file using keytool -v -list -storetype pkcs12 -keystore export.pfx > myAlias.txt (where export.pfx is my PFX file and myAlias.txt is the destination text file), the .txt file shows the Keystore type: PKCS12, Keystore provider: SunJSSE, the Alias name, Certificate chain length: 4, owner: my company’s name, issuer: COMODO Code Signing CA 2, validity period, etc.

But when I sign a jar using this valid certificate & then run the jar file, it says “unknown publisher” & lists my company’s name as the Issuer instead of Comodo ? Verifying using: jarsigner -verify -verbose -certs myJar.jar also shows the jar as being signed successfully using a valid certificate.

I initially thought that maybe my PFX did not contain all the certificates. So, I re-imported it in IE9 web browser and re-exported it to a new PFX file. Repeating the jar signing steps again leads to the creation of a new text file containing a different Alias but the rest of the details (owner, issuer, validity) are the same. However, using this new PFX file to sign the jar also results in the same “unknown publisher” error.

Any feedback on this would be welcome. Thanks.

Hi

Unknown Publisher suggests that not all the certificates where included, back to the root certificate when you exported it from the browser.

I would suggest exporting it again from the browser and select ‘include all certificates in the chain’.

Hope that helps.

Garry

Hi Garry, thanks for the reply.
I tried re-importing and exporting the PFX & did what you suggested and like before, it shows certificate chain length=4 and includes 4 certificate details in it. However, this error is still occurring.

Update:
I’ve been trying an alternate approach this morning to sign my java jar file but I’m getting a different error and the signing fails.

Instead of directly using the PFX to sign the jar, I’m now creating a KeyStore (jks) from the PFX and using the steps outlined at: How do I sign and timestamp a Java JAR file? : K Software to sign the jar. However, when I attempt Step 5 (i.e., signing and timestamping the jar using Timestamp Server And Stamping Protocols | Sectigo® Official or using its https equivalent), I get an error saying: jarsigner: unable to sign jar: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNA name matching timestamp.comodoca.com found.

Kindly let me know what’s causing this ? Can I not sign and timestamp jar files using the certificate or is the url not working any more ?

Best Wishes,
Ajit.

Hi

It would be helpful to see the certificate list of the 4 certificates.

Could you use the keytool command again to list the contents of the keystore and include that in your reply.

Thanks
Garry

Hi Garry, kindly let me know what you think ?
The PFX and keystore seems to have all the certificates up to the root in it.

Hi

Just out of interest, did you create the pfx file as per option 2 on this knowledge base FAQ?

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/531/7/signing-jar-files

Garry

Hi Garry,
as far as I can remember, I exported the certificate from an IE browser as a PFX using the built-in Wizard and not via the command line; but that was quite a long time ago. I used the PFX to sign a .exe file and it works without ant problems. It’s only for the jar that it fails.

Signing the jar with the PFX gives the “Publisher Unknown” error and signing via a JKS keystore (created from the PFX) fails with an SSLHandshakeException on the timestamp url (Timestamp Server And Stamping Protocols | Sectigo® Official).

Hi Garry,
any suggestions ?

Hi

I admit, I am running out of suggestions. :embarassed:

But, here is one last thought, although I think you’ve removed the certificate list from your post…

I noticed it had a very complex Alias, which made me wonder if it was the one you used at the end of the jarsigner command?

So, if it was then my last suggestion would be to submit a ticket with support:

https://support.comodo.com/index.php?/Default

And, once resolved, it would be good if you can post back here the resolution.

Garry

Hi Garry,
Yes that was the alias which I used while trying to sign the jar. I contacted Comodo Support about this on Friday (11th July) along with the text file containing the alias and certificate details and they said it seems to be ok.
I later sent them screenshots of what I did and the error I’m facing (both the PFX signing issue and the timestamp url error when I try to sign the jar using a JKS keystore) but haven’t heard back from them yet.

I will update this post with the solution once I get one from Comodo Support, hopefully some time today.
Thanks.

This is the reply I received from Comodo Support yesterday:

Dear Customer, Thank you for the mail. It would appear you have some corrupted, self-signed, digital signatures within your JAR file unrelated to your Comodo certificate. Further to that it does not appear you have set a 'Permissions' attribute within a manifest file within your JAR based on the error "This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute. Please contact the Publisher for more Information. " (as seen in your 3rd screenshot) This attribute is required as of Java 7 update 45. Please address.

Kind Regards,
Technical Support

The manifest permissions issue is something I knew about before and have rectified it.
But I do not understand how my jar can have corrupted, self-signed digital signatures as it is an unsigned jar being signed using a Comodo code signing certificate. I verified the jar (using the jarsigner -verify -certs command) before signing it and it said: “jar is unsigned”. I replied to them about this yesterday but haven’t heard back yet.

If anyone has any suggestions/ feedback on this issue, kindly let me know. Thanks.

How do I find out if the jar has a corrupt, self-signed signature or not & if it does, how do I remove the corrupt signature ?

Hi, how do I unsign a java jar ?
I want to unsign my jar (to remove a corrupt self-signed certificate) before re-signing it using my comodo code signing certificate (converted from a PFX file to a JKS keystore) ?

I created another small Java Web Start application earlier today and tried signing it using the JKS keystore created from my comodo certificate’s PFX file and that process worked perfectly, showing Comodo as the Issuer under certificate details when I ran the application. So, I want to unsign my jar to remove the corrupt certificate and re-sign it using this JKS keystore to fix the problem. Kindly let me know how to do so.
Thanks.

Hi,
I’ve managed to mostly resolve my issues around signing the jar and the jar manifest/ permissions warning. :slight_smile:
When I now double click the jnlp to run the jar, it now gives no warnings but when I click “More information”, it says: “Part of the application is missing a digital signature” & “Although the application has a digital signature, the application’s associated file (JNLP) does not have one”. Do I need to sign the jnlp as well ?

Also, there is no manifest warning now when I run the jnlp. However, when the software starts up, the Web Start console does state: “Missing Application-Name manifest attribute” & “Missing permissions manifest attribute” though I have set both of these in my jar’s manifest.

How do I fix this ? Do I also have to set the Codebase attribute in the manifest (I read about this elsewhere but am not doing it currently) ?
Thanks.

Hi, I’ve fixed my problems around signing the jar file and the Missing permissions attribute error myself. However, I’ve encountered a new error today. When I run my application (with the jar being signed using a Comodo code signing certificate), it brings up a popup with the jar & its certificate’s details. However, it then shows another popup with an error about the missing Manifest permissions attribute and a corrupt self-signed certificate.

I’ve found that these errors refer to the “jnlpcomponent1.jnlp” file that Netbeans IDE generates when I build my application. This file contains four 3rd-party jars that are already signed using another certificate.

How do I unpack these jar’s (to replace the Manifest with a blank one & delete the .SF and .HSA files) & re-pack it ? Is there a way to manually do it (e.g., at command prompt) ? Can I manually unpack these 4 jars, edit their Manifest, remove the .SF & .HSA files and re-pack them ?
Or do I need to sign them using the Comodo certificate as well ? Please let me know. Thanks.

Update: I have managed to resolve this issue myself.
Thanks.