1

I have a Java application (actually JWS, Java Web Start).

That application is signed by self-signed certificate, created by myself. As expected, when clients try running that application they are getting warning messages and actually have to manually import my certificate (.cer file) into "Signer CA" certificate list of their Java control panel. Only after they manually import my self-signed certificate, warnings are gone.

As you can imagine that's a problem because - it's a technical thing and clients need assistance from my side to have it done.

As my application is not earning not even nearly enough to cover yearly expenses for paid certificate, i started looking for free alternatives. I tried with "Let's encrypt" free certificate, but regardless of that, when my clients start the application signed by "Let's encrypt" free certificate, same thing happens - warnings about self-signed certificate again and i'm back to square one!

What should i do? Seems like free "Let's encrypt" certificates are not trusted by Java automatically. Which trusted free code signing certificate should i use?

Additional info about my app: it's not an open source project, it's built using jdk8u122, clients are running it using jre8u155. Application is built by Ant script that's using jarsigner provided by JDK and "signjar" Ant task.

guest86
  • 2,894
  • 8
  • 49
  • 72

1 Answers1

1

There isn't a free alternative to do this. The whole idea of the signing by a trusted authority is that your application is that:

Authentication, Verifying who the author of the software is.

Integrity Verifying that the software hasn’t been tampered with since it was signed.

Wouter Bijen
  • 21
  • 3
  • Companies like digicert checks your code for example: https://www.digicert.com/code-signing/oracle-java.htm – Wouter Bijen Nov 16 '17 at 12:54
  • Checking for viruses has nothing to do with anything here. – Kayaman Nov 16 '17 at 12:59
  • Code signing is the method of using a certificate-based digital signature to sign executables and scripts in order to verify the author’s identity and ensure that the code has not been changed or corrupted since it was signed by the author. This helps users and other software to determine whether the software can be trusted. A hacker could still get a code signing certificate and sign a virus but he will be legally accountable for it. – Wouter Bijen Nov 16 '17 at 13:06
  • I don't think anyone will be signing any viruses :) – Kayaman Nov 16 '17 at 13:18
  • 1
    Viruses or at least apps that contain viruses are signed all the time. Of course the signing certificates are usually stolen and viruses added to code be other than the authors. Signing certs are available on the dark web for a price. – zaph Nov 16 '17 at 21:05
  • @WouterBijen Great that the answer was corrected! – zaph Nov 16 '17 at 21:05