Overview¶

The Code Signer allows you to view all the jars in a root folder, check what's signed or not, view information about the signature of each jars, and select what to sign/resign using a valid certificate from a Java Keystore.

Running¶

To launch the tool, it's better to put the tool in the /application_server/ Servoy folder, cd to that folder and run it from the command line/terminal.
To allocate enough memory for the Java signing process, use this command:

java -Xms256m -Xmx1g -jar CodeSigner.jar

or, for Java 7:

java -Xms256m -Xmx1g -jar CodeSigner7.jar

or for Java 8:

java -Xms256m -Xmx1g -jar CodeSigner8.jar

Where -Xms256m allocates a minimum of 256Mb to the Java process, and -Xmx1g allows a maximum of 1Gb (the recommended amount for the signing process to run safely).

You can create a .bat or .sh file to run this, place it in the same directory as the CodeSigner.jar
By default the root folder used will be the one where you have placed the jar and executed it.
You can change the root from within the tool interface by choosing the menu "File > Change root..." (or Cmd/Ctrl + C) and select the new root folder to use.

NB: You generally want to point to the Servoy application_server folder.

The signing process¶

Signing jars is as simple as placing the tool in the application_server directory, or changing the root using the menu, selecting the jars to sign in the tree (usually the non signed/expired ones or all those not signed by your certificate), loading a certificate from a keystore, setting the signing preferences and running the signing process...

Headless mode¶

You can launch the tool in headless mode on a server without display.
Simply put the CodeSigner.properties in the same folder as the CodeSigner.jar, navigate to that folder and run from the command line/terminal.

NB: The CodeSigner.properties contains a 'headless' property that needs to be set to true to run in headless mode.
Alternatively, you can run the tool with the Java System property "-Djava.awt.headless=true".

If no keystore has been located in the properties, a prompt will ask for a Keystore location.
If no password has been provided in the properties or if it is invalid, a prompt will ask for a Keystore password.
If no alias has been provided in the properties or if no Certificate for this alias can be found in the Keystore, a prompt will ask for it.
If no selection mode has been provided in the properties, a prompt will ask for it, either I (invalid), S (self-signed), D (different) or A (all), this will allow to select the jars to be signed.
If no codebase, appName and ignore properties were find in the properties, the default will be used to sign the jars.

After the check/prompts, the tool will select the jars depending on the selection mode, and process to sign them. The command line will display the jar in process, and all the operations will be logged and saved in the CodeSigner-log.txt log file.

The UI¶

The UI is made out of a main menu and 3 panels in a split layout:

Tree View (on the left)
Certificate Information panel (top right)
Jar Information panel (bottom right)

A status bar displays progress and information at the bottom of the window.

Tree View¶

The Tree View shows all the jar files in the root folder and its subfolders.
If a folder doesn't contain any jar file, it will not be displayed.
Files and folders in the 'ignore' list (as set in the Preferences) will not be displayed.

You can expand a folder by clicking on the +/- button You can select/deselect a jar by using the checkbox before its name.
You can select/deselect a folder (thus selecting/deselecting all the jars contained in that folder) by using the checkbox before its name.

The jar icon will show the status of the jar, various icons shows various status:

The jar is signed with the current certificate (if one is loaded)
The jar is self-signed with the current certificate (if one is loaded)
The jar is signed
The jar is self-signed
The jar is signed but the the signature has expired
The jar is signed but the signature is invalid
The jar is signed but attributes are missing in the manifest
The jar is not signed
The jar is locked

NB: Locked jars cannot be signed!
A jar is usually locked when the Servoy server process has loaded them.
You need to stop your server before attempting to sign your jars.

Jar Information panel¶

Clicking on a jar will show some useful information about that jar in the Jar Information panel.

The Jar Information panel will display:

The name of the jar
The path of the jar (relative to the root folder)
The size of the jar file (in bytes)
The status of the jar, which can be:
- signed with the current certificate
- self-signed with the current certificate
- signed
- self-signed
- expired
- invalid
- missing attributes
- not signed
- locked
The signature information (if any)
The minimum and maximum date of validity of the signature (if any)
The Timestamp if the jar uses one
The manifest attributes

Certificate Information panel¶

If a certificate has been loaded, this panel will show the information about it:

The Keystore containing that certificate
The alias of this certificate in the Keystore
The status of this certificate (valid/self-signed/invalid/expired)
The signature information
The minimum and maximum date of validity of the signature
The certificate chain verification result, will list the chain of certificate up to a Root CA in the Java cacerts, or an exception message if the chain is invalid

NB: Only valid and self-signed certificate will allow you to sign jars.
Also note that self-signed certificate will issue warnings to your users and will only allow to run the Smart client under low security settings.
Finally, if the certificate chain didn't verify, most likely the signing process will result in errors, so fix your Keystore first by importing any needed intermediate certificates!

The File menu¶

Open certificate...¶

(Cmd/Ctrl O) will show you a file chooser to locate a Keystore, then ask for your Keystore password. If more than one certificate is contained in the Keystore, it will ask you to choose which one you want to use to sign your jars. In case of an Exception (bad Keystore chosen, or wrong password), the whole exception stack trace will be shown in the Certificate information panel. After the certificate is loaded, the tree will be refreshed to compare the jars with certificate with the currently loaded one.

Change root...¶

(Cmd/Ctrl C) will show a folder selection dialog to locate the new root to use. It will analyze the jar contained in that root (can take a while) and re-display the tree from that folder root.

Run¶

(Cmd/Ctrl G) will run the signing process on the jars selected.
If no jars are selected it will show an error dialog.
If no Certificate has been selected it will first run the 'Open certificate' command.

The jars signature will automatically be overriden if they were already signed.

The signing process will take care of adding the needed attributes in the manifest of the jars and unsigning/signing/repacking to prepare the jars for an efficient Servoy Web start download.

During the process, the status bar at the bottom of the window will display what jar is being process.
A log file is also saved on disk in the root folder with the result of the process, and the tree will be refreshed to show the status of all the jars.

Remove signature¶

(Cmd/Ctrl J) will remove the signature on all the jars selected. If no jars are selected it will show an error dialog.

During the process, the status bar at the bottom of the window will display what jar is being process and the icon of the jar will be updated in the tree.
A log file "CodeSigner-log.txt" is also saved on disk in the root folder with the result of the process.

Preferences...¶

(Cmd/Ctrl P) will open a dialog to allow you to set some preferences:

Codebase: this will be used to set the Codebase property in the Manifest of the jars during the signing process
Appname: this will be used to the set Application-Name property in the Manifest of the jars during the signing process
Ignore: this is a list of comma-separated folder name to be filtered. Typically folders that can contain jars but don't need to be signed, so don't need to be inspected and appear in the tree, by default this is set to "drivers,server" as these 2 folders contain jars that are usually not downloaded by the client.
Auto select: either nothing, 'invalid', 'self-signed', 'different' or 'all', will be used to pre-select the jars in the tree (nothing by default)
Use Timestamp: will use the TSA URL to generate a Timestamp for the jar (default to false)
TSA URL: the Time Stamping Authority URL to use to generate the Timestamp, which must comply with the RFC 3161 protocol (default to "https://timestamp.geotrust.com/tsa" - The Timestamp server certificate must be signed by one of JRE's trusted roots)

NB: Preferences are automatically saved when you quit the software. They are stored in a "CodeSigner.properties" file alongside the CodeSigner.jar

Quit¶

(Cmd/Ctrl Q) quits the application.

The Edit menu¶

Expand all¶

(Cmd/Ctrl =) will expand all the nodes of the tree.

Collapse all¶

(Cmd/Ctrl -) will collapse all the nodes of the tree.

Select All¶

(Cmd/Ctrl L) will select all the nodes of the tree.

Select None¶

(Cmd/Ctrl N) will deselect all the nodes of the tree.

Select Invalid¶

(Cmd/Ctrl I) will select all the unsigned jars + all the signed jars with an expired or invalid signature or missing attributes.

Select Self-Signed¶

(Cmd/Ctrl S) will select all the unsigned jars + all the signed jars with an expired or invalid signature or missing attributes + all the jars signed with a self-signed certificate.

Select Different¶

(Cmd/Ctrl D) will select all the unsigned/expired/invalid/missing attributes jars + all the signed jars with a signature different from the one loaded. If no certificate has been loaded, it will run the 'Load certificate' command first.

The Help menu¶

Manual...¶

(Cmd/Ctrl M) shows this help in a window.

Version...¶

(Cmd/Ctrl W) opens a dialog showing the version of that utility.

Credits¶

This tool has been provided to you for free and if you've found it useful you can always donate using Paypal (simply click on the button on the left) - this will help me maintain it and create some more useful tools in the future.

Files (10)

error.gif (964 Bytes) error.gif		Patrick Talbot, 02/04/2014 06:59 AM
locked.png (986 Bytes) locked.png		Patrick Talbot, 02/04/2014 06:59 AM
jar.gif (132 Bytes) jar.gif		Patrick Talbot, 02/04/2014 06:59 AM
expired.png (1.14 KB) expired.png		Patrick Talbot, 02/04/2014 06:59 AM
invalid.gif (119 Bytes) invalid.gif		Patrick Talbot, 02/04/2014 06:59 AM
missing.gif (90 Bytes) missing.gif		Patrick Talbot, 02/04/2014 06:59 AM
ui.png (84.6 KB) ui.png		Patrick Talbot, 02/04/2014 07:11 AM
self-jar.gif (123 Bytes) self-jar.gif		Patrick Talbot, 02/05/2014 07:38 AM
self-signed.gif (126 Bytes) self-signed.gif		Patrick Talbot, 02/05/2014 07:38 AM
signed.gif (126 Bytes) signed.gif		Patrick Talbot, 02/05/2014 07:40 AM

Project

General

Profile

Code Signer

Wiki