On 01/09/2014 16:17, AUser ZUser wrote:
Hello Can someone please help me with the following question. I have a code signing certicate in my X509 store "LocalMachine\My" which I can use for signing PowerShell scripts for example Set-AuthenticodeSignature ./MyScript.ps1 -certificate ( gci cert:\LocalMachine\My -CodeSigning) No worries there >From the information I have re "AthentiCode" as above, the only file formats it currently supports are * .cab files * .cat files * .ctl files * .dll files * .exe files * .ocx and Now the UNIX guys also need their .JAR files signing (they do not have the code signing cert) So I want thinking along the following lines but need some help please I downloaded OpenSSL for Windows and Install What I want to do use OpenSSL from the Windows command line to sign a .jar file I do not want to expose the code signing certificate by having is as a flat file (e.g. CodeSigningCert.pfx) on the file system, rather I would prefer to keep it in the X509 store (whereby the private key is not exportable) and refer to the cert on the OpenSSL command line when signing the .jar file. Is this possible? can any one please show me a few command line examples? if this is not possible is there another utility I can use to achive the above Thanks All AAnotherUser__ ------------------------------------------------------------------------
Note: I have successfully signed jar files (actually apk files, which are jar files with different contents) using the openssl command line, plus some scripting. Basically, jar files are zip files containing extra files describing the signature. There is a specification on Oracle's site, but fundamentally: META-INF/MANIFEST.MF contains hashes of all non-signature files in the zip file, this is generated when you sign the jar with any certificate (even an unimportant dummy key). This is a text file. META-INF/$signaturename.SF contains hashes of various parts of MANIFEST.MF. This too is generated when you sign the jar with any certificate, even though there is one copy of this file for each signature. This is a text file. META-INF/$signaturename.RSA is the output from running the following command (this is a binary file): openssl cms -sign -outform DER -noattr -md $hashname \ -signer $whatever.pem $engineorprivkeyoptions \ < $signaturename.SF > $signaturename.RSA META-INF/$signaturename.DSA is the same as the .RSA file if your certificate happens to use a DSA public key. So one way (there are more advanced ways) is to sign with a dummy (unimportant, no security) key using jarsigner, then extract META-INF/$signaturename.SF, pass it to openssl with appropriate engine options, then use a generic ZIP program to replace the dummy $signaturename.RSA with the real one. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org