On 01/09/2014 16:17, AUser ZUser wrote:
Hello
Can someone please help me with the following question.
I have a code signing certicate in my X509 store "LocalMachine\My" which I can
use for signing PowerShell scripts for example
Set-AuthenticodeSignature ./MyScript.ps1 -certificate ( gci
cert:\LocalMachine\My -CodeSigning)
No worries there
>From the information I have re "AthentiCode" as above, the only file formats
it currently supports are
*
.cab files
*
.cat files
*
.ctl files
*
.dll files
*
.exe files
*
.ocx and
Now the UNIX guys also need their .JAR files signing (they do not have the code
signing cert)
So I want thinking along the following lines but need some help please
I downloaded OpenSSL for Windows and Install
What I want to do use OpenSSL from the Windows command line to sign a .jar file
I do not want to expose the code signing certificate by having is as a flat
file (e.g. CodeSigningCert.pfx) on the file system, rather I would prefer to
keep it in the X509 store (whereby the private key is not exportable) and refer
to the cert on the OpenSSL command line when signing the .jar file.
Is this possible? can any one please show me a few command line examples? if
this is not possible is there another utility I can use to achive the above
Thanks All
AAnotherUser__
------------------------------------------------------------------------
Note: I have successfully signed jar files (actually apk files,
which are jar files with different contents) using the openssl
command line, plus some scripting.
Basically, jar files are zip files containing extra files
describing the signature. There is a specification on Oracle's
site, but fundamentally:
META-INF/MANIFEST.MF contains hashes of all non-signature files
in the zip file, this is generated when you
sign the jar with any certificate (even an
unimportant dummy key). This is a text file.
META-INF/$signaturename.SF contains hashes of various parts of
MANIFEST.MF. This too is generated
when you sign the jar with any
certificate, even though there is one
copy of this file for each signature.
This is a text file.
META-INF/$signaturename.RSA is the output from running the following
command (this is a binary file):
openssl cms -sign -outform DER -noattr -md $hashname \
-signer $whatever.pem $engineorprivkeyoptions \
< $signaturename.SF > $signaturename.RSA
META-INF/$signaturename.DSA is the same as the .RSA file if your
certificate happens to use a DSA public key.
So one way (there are more advanced ways) is to sign with a dummy
(unimportant, no security) key using jarsigner, then extract
META-INF/$signaturename.SF, pass it to openssl with appropriate
engine options, then use a generic ZIP program to replace the
dummy $signaturename.RSA with the real one.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
