Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 130943

Summary: Provide trusted certificates for code signing
Product: Community Reporter: John Arthorne <john.arthorne>
Component: ProcessAssignee: Eclipse Webmaster <webmaster>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3 CC: bokowski, jeffmcaffer, jrosenth, rivka, webmaster
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: All   
Whiteboard:
Attachments:
Description Flags
Sample JAR signed with a trusted cert
none
TryTwain
none
JTwain dll none

Description John Arthorne CLA 2006-03-08 12:15:08 EST 
First, apologies if this bug is not in the right place. I couldn't find a component that seemed to fit.  Feel free to move it.

This bug is a branch of bug 78208 regarding signing of Eclipse plugins and JARs. In particular, this bug is for addressing item c) in the list from that bug:

c) The Foundation needs to purchase a Java code signing ID and decide on a 
process for how the Eclipse teams can use this to sign the various plug-ins 
and features while maintaining the integrity of the certificate (ensuring that 
the private key does not fall into the wrong hands).

I know some work has already gone on, but wanted to enter this bug so we have a way to track the work so that those with an interest can see what is happening.

From what I gather, here is what has happened so far:

1) The foundation has set up a secure staging area where signing can take place
2) A script has been created that can be invoked by a build process to make the signing happen on content in the staging area.

The next step is for the foundation to purchase code signing certificates from a trusted certificate provider such as Verisign.  This is a critical piece because otherwise the user has no way to verify that the certificate used to sign the content actually came from the foundation.  Here is a link to the verisign product information:

https://securitycenter.verisign.com/celp/enroll/upsell?application_locale=VRSN_US&originator=Java&bundle_id=JavaCS002

Note that once a certificate is purchased, it can be renewed annually to ensure it remains valid.
Comment 1 John Arthorne CLA 2006-03-08 12:17:01 EST 
I have created a wiki page to track the signing work that is going on for 3.2:

http://wiki.eclipse.org/index.php/JAR_Signing

The (perhaps ambitious) goal is to have infrastructure in place so that content on the Callisto update site can be signed in time for the synchronized release.
Comment 2 Eclipse Webmaster CLA 2006-03-31 10:26:03 EST 
*** Bug 134265 has been marked as a duplicate of this bug. ***
Comment 3 Eclipse Webmaster CLA 2006-03-31 10:34:17 EST 
To concur comment 0:

- We have a secure signing process in place

- That process safeguards our private key, where only the foundation can read it, while still allowing us to delegate signing to specific committers (ie, not every committer can sign)

- The Foundation needs to purchase a trusted certificate, and configure our signing script to use it.

I'm currently waiting for EMO approval of the expense, then I'll click the Submit button on the web form.

D.
Comment 4 Eclipse Webmaster CLA 2006-03-31 11:03:26 EST 
Certificate has been purchased for a 3yr period, waiting for Verisign.

D.
Comment 5 Eclipse Webmaster CLA 2006-04-10 17:07:58 EDT 
Verisign have signed my certificate.  I'll install it this week so we can start testing.
Comment 6 John Arthorne CLA 2006-04-10 17:14:33 EDT 
Excellent!  Boris mentioned that he has some experience with installing and setting up Verisign certificates, so you can drop him a line if you have any problems and he might be able to give some pointers.
Comment 7 Eclipse Webmaster CLA 2006-04-11 16:17:12 EDT 
Grr...  I *totally* forgot that I needed to create the private key with keytool, and instead created one using OpenSSL.

Stupid  Stupid  Stupid  Stupid  Stupid  Stupid

Of course, now I'm struggling to get the blasted key into my keystore as keytool doesn't support importing this directly.

I can't seem to convert the private key/cert into PKCS#12 format (so that I can import it with a tool like KeyMan) as the Verisign cert doesn't appear to be an x.509 cert, but rather some Digital ID.. 

At this point I'm totally screwed and don't know what to do.
Comment 8 Boris Bokowski CLA 2006-04-11 16:32:51 EDT 
I barely remember this, but I think I wrote a little Java utility when I was stuck with a similar problem. Could you attach a private key, different but generated in the same way, so that I can experiment with it?
Comment 9 Eclipse Webmaster CLA 2006-04-11 16:37:29 EDT 
~> openssl genrsa -des3 1024
Generating RSA private key, 1024 bit long modulus
.++++++
..................++++++
e is 65537 (0x10001)
Enter pass phrase: Something
Verifying - Enter pass phrase: Something
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,C825E4A0768F21D5

mRrHFZj3l1JDiBUdArpKKTkvCzAMqYcAFmsxSvbirYqY6VkGt+M/SNdXyFFY/Nf5
iujyQ0obTAhfMsW4HtOvwAqN49XWrzZPkppNMcgixWzTq3/LDIdP/AqLQeQ1iXKL
fZEffQV9aGt9P2rNINBjGztrzaN2l3IGkXBoy0jMdKQUuY6VUUvAGwsCp7SJoNlf
QN1etp30SENcxfLcIL3tIymVA7hTlIj/sxHpd0sGrUEzXUW/AWl9vaRuPmnfz9W6
3G/Ed1hUdR4AxJ33mVWT0cl7HHse5bU4JS2uA0B0EZr3IF+k72Xb+QsL2yu3CqrR
FX8rwsbBhRhlSaGSgg4GKIHfAvv1T1tUOxhnuLQgkFZItAwwyAbHZErSEse2Og0M
ITkWjoxZ2H6bsSRuY0bNlALctOAdvdl3efDO3jZrwJ5yeOqUQGkfDhbDO40DETXW
uLyYFOVJ0A7c569MFl69WkVRFgU5upHV+pUpIPB+7lsutGOb4kAPMSKfcCkCh5qk
GmyjFkdXo/PdIdnQyGerrMhLR3KG6Zml9LLiLxQ4ksDzLM6v0MEMP4foIeHW97Lr
13wULahj+4FATM4Ve1NdXG2mdqik8Pho/c8GjGLCoIXShTo1DCWl/2BcPLKnGG8x
FE4jWeqePm4vqNnN/utYoa3AXLZWl+/zrvdFvghsq1bL0NxSxkxUn4l5TGO3FWLI
2haBP36kSf+ICj9yOps9acGJHOAcuPshvrTDJy2W/vmkN9vl7f8KyhOuPEQBNNvn
nBqwJe3hAGkZLoLBRpKKjll5u3ikazoD3yDaRQBMJko+4n0Aj8gZnw==
-----END RSA PRIVATE KEY-----
Comment 10 John Arthorne CLA 2006-04-11 17:58:05 EDT 
Try this:

openssl pkcs12 -export -out keystore.pkcs12 -in www.crt -inkey www.key

Where www.crt is the certificate file from verisign, and www.key is your private key generated by openssl.  This should generate keystore.pkcs12 in the pkcs12 format.  Then keyman can be used to import this into the Java keystore file.

Some references:

http://www.jguru.com/faq/view.jsp?EID=532461 (reply of January 16, 2006)
http://mark.foster.cc/kb/openssl-keytool.html
Comment 11 Eclipse Webmaster CLA 2006-04-11 22:38:50 EDT 
I tried that already this afternoon (see comment 7 paragraph 4).

droy@utils:~> openssl pkcs12 -export -out keystore.pkcs12 -in jarsign.verisign.crt -inkey jarsign.verisign.key
Enter pass phrase for jarsign.verisign.key:
No certificate matches private key

Using openssl verify on our https web cert returns a positive verification; however, 

droy@utils:~> openssl verify jarsign.verisign.crt
unable to load certificate
28658:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:946:
28658:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=X509_CINF
28658:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_D2I:nested asn1 error:tasn_dec.c:566:Field=cert_info, Type=X509
28658:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:82:
Comment 12 Eclipse Webmaster CLA 2006-04-11 22:47:23 EDT 
Hmmm, I didn't try catting the Verisign intermediate and root cert like the Jan 16 comment. Will try this tomorrow as soon as I figure out which root cert I need ;)

Thanks for the info.

D.
Comment 13 Eclipse Webmaster CLA 2006-04-12 14:19:21 EDT 
The bad news is that I tried every possible combination of the above and nothing worked.  I was unable to export into PKCS12 format.

The good news is that I can replace the certificate I purchased with a new one.  I'll simply generate a private key and CSR using keytool, have the new cert signed, and all should be swell.

D.
Comment 14 Eclipse Webmaster CLA 2006-04-20 10:49:50 EDT 
Just a quick update... I got the "second" certificate from Verisign.  This is a certificate that used the keystore's private key for the CSR.

Following the import instructions at http://verisign.com/support/code-signing-support/code-signing/digital-id.html

/shared/common/ibm-java2-ppc64-50/bin/keytool -import -trustcacerts -keystore /my/keystore -alias myalias -file verisign.crt
Enter keystore password:
keytool error: java.lang.Exception: Input not an X.509 certificate

*sigh*  back to Verisign support.
Comment 15 Eclipse Webmaster CLA 2006-04-20 11:50:00 EDT 
Created attachment 39053 [details]
Sample JAR signed with a trusted cert

So it appears I'm the only idiot who uses a different Key password and Store password.  Setting them to an identical value yields much easier results.

I was able to import the Verisign cert, sign a JAR using jarsigner and verify it using jarsigner.  Please verify the attached jar to see if this is the expected result.
Comment 16 Mik Kersten CLA 2006-04-25 18:27:30 EDT 
Should Technology projects (e.g. Mylar, AJDT) be using the same certificate?
Comment 17 John Arthorne CLA 2006-04-26 09:51:27 EDT 
> Should Technology projects (e.g. Mylar, AJDT) be using the same certificate?

I don't see why not.  The purpose of the certificate is that it allows verification that a piece of software originated from eclipse.org.  It seems to me that any software available on download.eclipse.org could take advantage of both the signing and pack200 (http://wiki.eclipse.org/index.php/Pack200) update support.
Comment 18 Eclipse Webmaster CLA 2006-04-26 10:00:02 EDT 
(In reply to comment #16)
> Should Technology projects (e.g. Mylar, AJDT) be using the same certificate?
> 

I believe this is the intention.  One (or two) committers would be trusted committers, who would be granted the privilege to sign their code on behalf of the Foundation, by using the process we're developing here.

As soon as all the wrinkles are ironed out, we'll make the appropriate announcements.

D.
Comment 19 Eclipse Webmaster CLA 2006-09-27 20:54:18 EDT 
A code signing certificate has been installed and is in use on the signing server. Although we're not yet ready to announce the functionality of signing project jars and zips, this part of the requirement has been satisfied.

FWIW, in comment 15 I requested the attached jar be verified to make sure it's properly signed and didn't get a reply.

D.
Comment 20 Mik Kersten CLA 2006-09-28 13:14:42 EDT 
What's the bug that we're using to track this functionality becoming available to other projects (e.g. Mylar, AJDT)?  Or will this be announced elsewhere when ready?
Comment 21 John Arthorne CLA 2006-09-28 13:33:42 EDT 
> What's the bug that we're using to track this functionality becoming available
> to other projects (e.g. Mylar, AJDT)?  Or will this be announced elsewhere when
> ready?

There's nothing specific to the platform project with this signing infrastructure.  I.e., once it's available to the platform, it is automatically enabled to work for any Eclipse project.  Likely the only additional work is adding an appropriate person from each project to the "signers" ACL so they have permission to run the scripts. Follow bug 135044 for further updates on improvements that are in progress on the signing/packing tool.
Comment 22 rivka kl CLA 2014-01-16 08:09:16 EST 
Created attachment 239059 [details]
TryTwain
Comment 23 rivka kl CLA 2014-01-16 08:20:09 EST 
Created attachment 239060 [details]
JTwain dll
Comment 24 Denis Roy CLA 2014-01-16 08:30:36 EST 
The content of attachment 239059 [details] has been deleted for the following reason:

Looks like spam
Comment 25 Denis Roy CLA 2014-01-16 08:30:41 EST 
The content of attachment 239060 [details] has been deleted for the following reason:

Looks like spam