As you're probably aware by now, since June 1st 2023 all well-known / public Certificate Authorities (CA) no longer provide Code Signing Certificates using pure software based private keys (see https://www.linkedin.com/posts/johannes-michler-099892ab_code-signing-key-storage-requirements-will-activity-7090432157688492032-jGvC).
Since I prefer using such a trusted / public CA to sign Java Applets (that are still crucial for Oracle E-Business Suite or Oracle Forms), I've recently had a look into how we can now sign those Java JAR files.
Remaining Options for Code Signing Certs
Basically, there are 3 options remaining to get a code signing certificate usable for Java Applets / .jar files:
- Use a private Certificate Authority: If your company operates its own private Certificate Authority and if your Admins of that CA know how to use that CA to create a Code Signing Certificate that can be used to sign .jar files, then this is a valid option. As long as all Desktop clients accessing your E-Business Suite environment trust this CA, then the process is the same as it was "in the old days" with public CAs. Oracle describes this in great detail in Enhanced Jar Signing for Oracle E-Business Suite (Doc ID 1591073.1).
- Get a "Hardware Security Module" (HSM) backed Code Signing Certificate available from most major Certificate Authorities. This is a little USB device that securely stores the private key of the Certificate. Using some special drivers tools such as signtool or jarsigner will then access the key/certificate from that device:
SafeNet Token - This HSM-based approach is a bit inconvenient when running E-Business Suite in a Cloud environment such as Oracle Cloud Infrastructure OCI. The jar files to be signed would then have to be transferred to some local machine, then be signed there and finally copied back to the E-Business Suite Application server. Luckily, there is a third option provided by many CAs: With a "cloud-based" Code Signing Certificate as offered by e.g. Digicert or Certum, the key is stored in a SaaS-like way and the jar files are sent to the Cloud Service for signing transparently. We will be having a bit of a closer look at this shortly.
Certum "Standard Code Signing in the Cloud"
One of the cheapest Code Signing Certificates "in the Cloud" available in the market is provided by Certum: https://shop.certum.eu/standard-code-signing-in-the-cloud.html
Resellers, such as LeaderSSL offer a certificate valid for 3 years starting at 100 Euro per year:
CERTUM Standard Code Signing in the Cloud by LeaderSSL
We got such a certificate to sign the code of our (legacy) business process modeling tool "Horus" (https://www.horus.biz/). The process basically consists of 3 steps:
- Order a free trial of the certificate
- Perform personal and organization-based identity validation (takes 1-2 days)
- Then you receive a one-time password with which you can activate the "SimplySign" app on Android or iOS. After doing a biometric authentication, that app creates one-time-tokens:
Simply Sign Android App that can "Generate tokens" - This token can then be used to sign in to the desktop application (a token is needed for each start of the application):
Download of the Desktop Application for Windows - Using this application, the Code Signing Certificate issued and verified above can be imported into the Windows Certificate Store.
- Then, when using signtool.exe, the Certum software "under the cover" communicates with the Signing SaaS certificate to sign the application. This works both for Windows applications, but by using a jarsigner plugin it is also possible to sign Java Applets.
Signing Java .jar Files
Signing .jar files is described over there: https://support.certum.eu/en/signing-the-code-using-tools-like-signtol-and-jarsigner-instruction/. How to use this tool on a windows box by copying the .jar files from the E-Business Suite Application Server to that machine is described in "Signing EBS Jar Files With HSM (Hardware Security Module) (Doc ID 2806640.1)".
Summary
The process described above and in 2806640.1 is a rather reasonably priced option to sign E-Business Suite environments with a trusted Code Signing Certificate. However, the procedure is quite some manual work that needs to be repeated on every (java/.jar-modifying) E-Business Suite patch.
In a follow-up article I will soon post I will be describing how the code signing with Certum can be done entirely on a Linux box without a GUI in a scripted fashion.