B4J Question [SOLVED] - B4J Windows App (+jar for linux and mac) - New code signing regulations

hatzisn

Expert
Licensed User
Longtime User
Goodmorning to everyone,

the code signing regulations for apps have changed and now the price has gone way up. (trippled because an HSM is needed to sign the code). The cheapest alternative is this one (the first). Which serves as a software HSM.


I have five questions...

I have never tried to sign an app but now I need to sign one.
1) What do you sign? The Jar, the Exe or the Setup?
2) How do you handle and perform the previous option's procedure?
3) What about MACs and Linux? How do you sign these versions of the application.
4) Would the solution mentioned in the URL before, according to anyone of the users of this forum, work?
5) Has anyone tried the URL's solution?

Edit - For MAC is notarization ok?


Thanks
 
Last edited:

amykonio

Active Member
Licensed User
Longtime User
Hi. I'm not an expert but for (1) I believe you can (and should) sign all of them.
Andreas.
 
Upvote 0

hatzisn

Expert
Licensed User
Longtime User
I have found the answers for signing code (jar + exe) and Inno Setup File using the Certum Technology mentioned in first post in these links:

Exe + Jar + Command for command line for the next link

Inno Setup
 
Last edited:
Upvote 0

hatzisn

Expert
Licensed User
Longtime User
Although I have the answers maybe I did not ask the right question... The question is what is code signing?
Does it change the byte code of the file? I am almost certain that the exe and inno setup will be ok but for jar will this work with B4J? I tried before one year to obfuscate with a tool a b4j jar file and the result was that it did not work afterwards (at least with this tool). Has anyone signed ever a B4J jar file?
 
Upvote 0

Dadaista

Active Member
Licensed User
Longtime User
Microsoft Authenticode - ALL versions of Windows - Code Sign any Microsoft format (32 and 64 bit) EXE, DLL, OCX, MSI, CAB.
Windows 10/11 Driver Signing with an EV Code Signing Certificate
Java Code Sign any JAR applet
Microsoft Office Code Sign any MS Office Macro or VBA (Visual Basic for Applications) file.

 
Upvote 0

hatzisn

Expert
Licensed User
Longtime User
In this page:

I found the following picture. If I get it correct the byte code is left as is and the signature is attached to it? So B4J byte code in jar will be untouched. Right?


 
Last edited:
Upvote 0

hatzisn

Expert
Licensed User
Longtime User
Upvote 0

Magma

Expert
Licensed User
Longtime User
...Found this

especially for open source code... there is a cheaper option...

not sure how it works... but it seems and says that works...
 
Upvote 0

tchart

Well-Known Member
Licensed User
Longtime User
FYI you can sign Jar files using Keystore explorer. Much easier way to do it.

 
Upvote 0

copanut

Member
Licensed User

Ha, it's all very funny in a painful way. I am just going through this right now. I previously had done a code signing just to prevent Microsoft saying the app was from an unknown publisher and causing difficulties for users to install. I grumbled at the time but I did it anyway because it was not too expensive. Then I forgot about it.

Fast forward three years, and I was trying to update my app on the Microsoft App Store, but was rejected because the code signing is now invalid. It expired after three years. Okay, so I remember I did this before and dug around for my notes on the subject (ha ha, I left none). I came to learn that back in June, Microsoft changed the rules such that a physical hardware (USB) is required to do the job, and as you say, it is now absurdly expensive. And to me, at least, the process, rules, and requirements are incredibly vague and badly described. There also seem to be many shady organizations selling the service, and it is not clear who can be trusted or how it all works.

Still, if you want to put your app in the Microsoft App Store, there is no choice but to do the code signing, and I also got a couple of reports from new users that seem to indicate various antimalware products producing a false positive and quarantining the executable. So, onward into the breach.

Not knowing who to trust, I gave my money to Sectigo, which seems to be the biggest dog in this game. https://www.sectigo.com/ssl-certificates-tls/code-signing


The cost was an astonishing $829 for three years. It hardly seems worth it considering 90% of my sales are iOS and Android, but I felt I had no choice in the matter as supporting all three platforms equally is an important part of my marketing for the app.

So, I filled out all the required info and forked over the money. The interactions with Sectigo are all web-based, and vague, and they kept rejecting me without clear explanation.

A few days ago I got an early morning call from a lady in India, nearly impossible to understand, telling me that she called because she had to verify my phone number. I said "OK, thanks." After a period of silence, she started telling me I had to sign up with some web site where I could list my company (which is just me, by the way). She said "I'm not telling you that you have to do it, but you have to do it". I blinked in confusion. "Why do I have to do this?" "Because I need to verify your phone number".

"But... but... you called my phone number and I answered and I am talking to you."

We went in circles on this to no avail. And as I started looking into the web site she had mentioned (which sounds like yet another way to take my money) and I again tried to explain that I'm just some guy working out of his house and not a Fortune 500 company, she mentioned that it would be easier if I signed up as an individual instead of a company. I asked why their web site didn't offer any such choice, and she could not answer, at least not in English that I could understand. She put me on hold, then came back, and said she had switched my application to an individual. Okay, great. But she still had to verify my phone number(!!) so after hanging up, I got an email with a link to click that would then call me (at the same f@#$% number) so I could enter a code to verify that I am me by some mystical prestidgitation.

Anyway, so now I am approved, and am awaiting the arrival by mail of my USB key. From there I will need to figure out again how to apply this signing to my B4J app, a bridge I will cross when the USB key arrives. I figured that part out three years ago, so I'm assuming I can muster the wits to figure it out again.

Ugh. It would be awesomely great if there was a trusted post on this forum with step by step instructions for B4J code signing, including why to do it, what type to buy, who are trusted vendors, and related procedures and "gotchas". I would do it based on my own experiences but I am just winging it and so I don't trust my experiences as authoritative or knowledgeable in any way and would not want to mislead others.
 
Upvote 0

Magma

Expert
Licensed User
Longtime User
I came to learn that back in June, Microsoft changed the rules such that a physical hardware (USB) is required to do the job,

At this..

Code signing - Certum Shop

Seems has cloud option... no need physical USB..
 
Upvote 0

hatzisn

Expert
Licensed User
Longtime User

In post#3 there are some instructions on how to do it, but I do not know of it is trustworthy the certificate.
 
Last edited:
Upvote 0

copanut

Member
Licensed User

Thank you. Yes, I have seen vendors offering a cloud option, but I have also seen the requirement that hardware is part of the new requirement. Who to trust on this? I don't know. Perhaps the cloud vendor holds onto the hardware, but what if they go out of business? This is an example of what I find a very vague, poorly defined, poorly explained process. I am patient with that if I stand to lose $50, but maybe not $500.
 
Upvote 0

Magma

Expert
Licensed User
Longtime User

I think that this option - if your app gonna be open-source-code (may be you can have compiled libs for example and free the source code) and if you wanna sell something sell as a service...

Is something like I will choose at the future for some apps...
 
Upvote 0

tchart

Well-Known Member
Licensed User
Longtime User
Also going through this pain at the moment. I checked and my last certificate cost US$80 (for 1 year).

This year its looking like US$800 (for 3 years) is the cheapest. If you go for 1 year, its about US$500 anyway.

Sectigo is the one I use but usually you are giving your money to a 3rd party before Secitgo get involved. Last time it was also difficult to get validated even though I have a registered business and you get bounced around betwene the 3rd party and Secitgo processes which is frustrating.
 
Upvote 0
Cookies are required to use this site. You must accept them to continue using the site. Learn more…