How to Sign a Cross-Platform Java App

Question

I have an application that is written in Java and is going to be distributed on Mac OS X, Windows, and Linux. Currently, I am packaging the app for each platform as follows (but I'm willing to change it if an alternative is needed):

• Mac OS X: Using Eclipse, go to "File" -> "Export…" and choose Mac OS X Application bundle
• Windows: Bundle the jar file into an exe file using Launch4j
• Linux: Bundle the jar file into an sh file using Jnix

The trouble is, I'm starting to run into problems with my programs not being trusted. Google Chrome reports that beta versions of my app are not from a trusted source and Windows 8 Smartscreen filter does the same. It's my understanding that the only way to get these security measures to trust my app (which will definitely be necessary if I want to distribute it for real) is to have the app signed. However, I'm finding precious little documentation about how to do this and most of it is for one platform (eg this tells me about signing for Windows 8).

My question is: is there a way to sign my Java code once and automatically have the executables I create be signed? Or do I have to sign each executable file separately? If it's the latter, is there one code signing authority that I can use or do I have to get it signed separately with different groups?

Answer 1

With the suggestion from ParrotMac , I wound up doing Digicert's livechat and asked some of these questions to "David". Here is what he had to say (edited for clarity):

Do I authenticate the Java code or the end product executable or both?

You'll want to sign the end product.

Do I purchase one certificate and use it for other platforms or do I purchase them separately?

You can purchase a code signing certificate, download it for a platform of your choice (eg Java jar files), then re-key it for another (eg authenticode for Windows .exes), if you would like. Re-keying is free and you can re-key your certificate for different platforms as many times as you would like as long as the certificate is valid. When you rekey, it does not invalidate your prior certificate, just enables you to download another one for a different platform. The platform you choose for digicert is just the platform it is initially keyed for.

One of my platform targets is Linux. Is there such thing as Linux code signing? Or is it just for OS X and Windows?

You can use the certificate in Linux, you would just use a different tool to sign it than you would for Windows or OS X.

So there you have it. At least from digicert (and I would presume other code authentication companies) you can buy one certificate and use it for multiple platforms at no charge. You then authenticate your end product; authenticating your raw jar file is unnecessary unless you're distributing it that way.

However, I did find out that if you wanted to get past Windows 8, you have to get more secure code signing.

Would code signing work to get past Windows 8's Smartscreen filter?

You would need the EV Code Signing certificate to get past the Windows 8 Smartscreen filter. The EV does cost more, but mainly due to the extra validation that comes with it. You can do the same thing with the EV as you would with the non-EV certificate.

And for good measure, I asked if a certificate was needed if it was being sent to the Mac OS X App Store or other store.

If I wanted to distribute this cross-platform app in the Mac OS X App Store or other store, do I need a certificate? If so, is it the same certificate?

For stores like Google's Apps store or Mac App Store, you'll need to have your software signed by a trusted certificate. But you would want to view that particular stores requirements to determine exactly what you need.