Nammu Jar should be signed

[raquelalegre]

No description provided.

[raquelalegre]

Here are some links with info:

• Generate keys: https://docs.oracle.com/javase/tutorial/security/toolsign/step3.html
• Self signed certificates https://en.wikipedia.org/wiki/Self-signed_certificate
• Jarsigner maven plugin: http://maven.apache.org/plugins/maven-jarsigner-plugin/usage.html
  • Same functionality as: jarsigner -keystore examplestore -signedjar sCount.jar Count.jar signFiles
• Let's encrypt site for free certificates: https://letsencrypt.org
  • These are not straight forward to use, see: http://stackoverflow.com/questions/34110426/does-java-support-lets-encrypt-certificates

[raquelalegre]

Sent email asking about TERENA certificates to isd-dcs-lob. Also asked if they had any information about JISC certificates, since it seems we can get UCL funds for them.

[raquelalegre]

They replied back with this:

Hi Raquel

As per our discussion please find supporting information for code signing
certificates here:
http://tinyurl.com/j99z4v9

(Note further information links on right of page 'Code Signing
Certificates', 'Code Signing Process' etc.)

You *CANNOT* order a code signing certificate yourself.

When you are certain this is the kind of certificate you need re-open this
ticket (or reply to this email) and I will progress the order (we need to
arrange credit card payment and then manual verification).

Hope this helps.

[raquelalegre]

It was not clear in the documentation in that link if COMODO supported signatures for things other than Windowsy files like exe or dll. I spoke with an agents and they confirmed you can sign JAR files with COMODO, and also that the certificate we buy for Nammu's JAR can be used on things other than JAR files in the future that we want to sign.

Here's the link about signing JARs with COMODO (content takes a while to load): https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/531/7/

And here's what the agent sent to order the certificate:
http://www.positivessl.com/code-signing/code-signing.html?ap=ce046

[raquelalegre]

Email sent to Tony Brown to start the process of getting the certificate. COMODO's site says it'll take 3-5 working days.

[raquelalegre]

Sent another email today since we haven't heard back yet.

[raquelalegre]

Update from Tony Brown last Friday:

 Hi Raquel,

 An update.

 ISD Purchasing, in the absence of Robert Silk who is on annual leave this
 week, referred us to another member of staff in ISD who, regrettably, is
 working at home today. We will therefore refer the request back to ISD
 purchasing as Robert Silk will be back in the office on Monday.

 Apologies for the delay.

 We are confident that we can beat the 5 July deadline.

[raquelalegre]

Another update:

Hi Raquel,

An update.

We have paid for the certificate (£399.60 inc.VAT).

The next stage is to complete the authorisation.

[raquelalegre]

Hi Raquel,

We are on to the manual authorisation phase now. Tim and I hope to
progress this today.

[raquelalegre]

Tim sent the certificate and password. Working out how to put everything together so JAR doesn't force people to run content from untrusted source.

[raquelalegre]

Followed these instructions. Note alias, which is needed by the jarsigner, can be seen with this command:

keytool -list -storetype pkcs12 -keystore signing_certificate.p12 -v

I'll test it and then try to add the keytool and jarsigner steps to the POM file so it's always automatically signed in every build.

[raquelalegre]

Turns out Apple computers need some extra signing. We need to use an Apple Developer ID so Apple trusts our application and users don't get prompted with something like"This app has been made by an untrusted developer", which is not ideal.

ISD folks said Robert Silk has a Developer ID we can use, so I've sent an email and I'm waiting to hear back.

[raquelalegre]

Also emailed isd-itpurchasing since Robert is on leave tomorrow.

[raquelalegre]

I got an invite to the Apple Developer ID account. However, it turns out you can't sign JAR files, you can only sign dmg or app files :-/

I'm trying to bundle the JAR into an app or a dmg, using a maven plugin. It does create an app and dmg, but when I open them nothing happens. Here's the plugin I'm using:

https://github.com/federkasten/appbundle-maven-plugin

I'll come back to this later. Making the bundle would also be nice to add an icon to it and so on, but I need to investigate further on this and I might not have time before the release later today.

Some other links to look at:

• Some instructions on how to bundle a jar: http://centerkey.com/mac/java/
• Make exe for windows: http://launch4j.sourceforge.net
• Apple certificates: https://developer.apple.com/account/mac/certificate/

[raquelalegre]

I have managed to create a working DMG file for Nammu, including icon and context menu that says "Nammu" instead of "App" :)

I couldn't do it with the maven plugin, which did prepare a dmg, but it wouldn't trigger the JAR, so for now I've done it with javapackager instead. It's not a great solution, but I'll manager to put that somehow in Maven to automate this process.

This is what I run:

mkdir package/macosx
# For some reason javapackager needs nammu_icon.ics to be in that folder
cp nammu_icon.icns package/macosx
javapackager -deploy -native dmg -srcfiles ~/workspace/ORACC/nammu/target/nammu-0.4.jar -appclass uk.ac.ucl.rc.development.oracc.nammu.Nammu -name Nammu -outdir deploy -outfile Nammu -v  -Bicon=package/macosx/nammu_icon.icns -BappVersion=0.4

javapackager also accepts an Apple Developer ID as a command argument, but I don't seem to be able to find it in the UCL Apple Developer Team website. It seems like some people doing iOS stuff got them, but there are no Mac Apps in there ever signed.

I tried following the instructions here:
https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/ConfiguringYourApp/ConfiguringYourApp.html#//apple_ref/doc/uid/TP40012582-CH28-SW2

But that only works for native Apple applications written in Objective-C or Swift, so I can't open my project there and configure it the way the instructions say. I've emailed the people who manage this team and I'm waiting to hear back, because I'm a bit lost.

[raquelalegre]

I could also try and look into moving from maven to gradle and use this: https://github.com/crotwell/gradle-macappbundle/wiki/Intro

[raquelalegre]

Some update: COMODO ships its certificate with no indications on how to install it. There's this help I found though, which is what I followed, but it's outdated/wrong.

After consulting with COMODO support I finally got some help. The validation chain of their certificate was wrong. The certificate needed to be regenerated with OpenSSL to build the validation chain from scratch, like this:

# 1. Generate private key:
openssl pkcs12  -in ../certificate/Trac_dcs_lob#16969-Comodo_Code_signing_certificate.p12 -nocerts -out privateKey.pem
# 2. Generate public certificate
openssl pkcs12 -in ../certificate/Trac_dcs_lob#16969-Comodo_Code_signing_certificate.p12 -clcerts -nokeys -out publicCert.pem
# 3. Regenerate p12 certificate with SHA-1 codesigning_bundle.txt given by COMODO
openssl pkcs12 -export -in publicCert.pem -inkey privateKey.pem -out certificate.p12 -certfile ../certificate/Codesigning_bundle.txt

When running this for information:

keytool -list -v -storetype pkcs12 -keystore certificate.p12  > output.txt

The output shows a confirmation of my validation chain's length being 4 - it was 3 before which was reporting a warning about my validation chain being incomplete.

Then when signing the jar no more warnings appear and all seems good:

# JAR just generated, check it's unsigned:
> jarsigner -verify target/nammu-0.4-dev.jar
jar is unsigned. (signatures missing or not parsable)

# Sign it with the (corrected) COMODO certificate
>jarsigner -storetype pkcs12 -keystore certificate.p12 -tsa http://timestamp.digicert.com target/nammu-0.4-dev.jar "1"
Enter Passphrase for keystore:
jar signed.

# Check again if it's signed:
> jarsigner -verify target/nammu-0.4-dev.jar
jar verified.

The problem is that when opening in a Mac, this is displayed:

“nammu-0-1.4-dev.jar” can’t be opened because it is from an unidentified developer.
Your security preferences allow installation of only apps from the Mac App Store and identified developers.

Which has to do with the Apple Developer ID signature.

One can't sign JARs with the Apple Developer ID, they must be app or dmg files. So I've created a dmg bundle like I said in earlier and then signed it after installing all the certificates in my Keystore:

codesign -s 'C3E34CC79691FF99147A0A8801A51D8D980DC258' -v Nammu.dmg

I've also tried to sign my App, then sign the DMG, but I keep on getting that error when trying to open the file on a Mac. IT Purchasing who dealt with the Apple Developer ID stuff don't know how to help with this, so I'm going to ask in Apple support, although could take very long to get an answer.

This issue will remain unresolved for now.

[raquelalegre]

Apple hasn't replied yet.

We have tried a few things, but still when opening the App, we keep on getting this warning:

“Nammu.app” can’t be opened because it is from an unidentified developer.

Your security preferences allow installation of only apps from the Mac App Store and identified developers

which makes users manually accept to trust Nammu. This is bad because we are identified developers!

We've tried to check directly on the app file, which is what fails. Signing the dmg doesn't seem to help. If we install Nammu.app from a Nammu dmg file, we can then check if the app is signed:

$ codesign -vvv --deep  /Applications/Nammu.app

/Applications/Nammu.app: code object is not signed at all

Then we sign it and check again:

$ codesign -vvv --deep -s 'C3E34CC79691FF99147A0A8801A51D8D980DC258' /Applications/Nammu.app

/Applications/Nammu.app: signed bundle with Mach-O thin (x86_64) [uk.ac.ucl.rc.development.oracc.nammu]

$ codesign -vvv --deep  /Applications/Nammu.app

--prepared:/Applications/Nammu.app/Contents/PlugIns/jdk1.8.0_25.jdk
--validated:/Applications/Nammu.app/Contents/PlugIns/jdk1.8.0_25.jdk
/Applications/Nammu.app: valid on disk
/Applications/Nammu.app: satisfies its Designated Requirement

This still triggers the warning when trying to open the app.

We have tried signing other files inside the app folder, like /Applications/Nammu.app/Contents/Java/nammu-0.4.jar or the entry point in /Applications/Nammu.app/Contents/MacOS/Nammu but with no luck.

It might be helpful in the future to note we also found how to modify on the command line the exceptions for unidentified apps on the system's policy security tool:

# Shows all the registered exceptions preceded by rule number and label.
spctl --list

# When one unidentified application is approved in the security settings, it'll appear in the list, for example:
# 906[UNLABELED] P0 allow execute [/Applications/Nammu.app]
    identifier "uk.ac.ucl.rc.development.oracc.nammu" and anchor apple generic and certificate leaf[subject.CN] = "3rd Party Mac Developer Application: University College London (8UMT23UD55)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */

# To restore the settings and forget this app was ever approved:
spctl --remove --rule 906

This issue affects Mac computers only, so we'll need to investigate further. For now we'll focus on moving forward with other functionality.

[raquelalegre]

I was thinking maybe the problem is still in the way the certificate is created, or there is something missing on it. I've asked again Robert Silk and Niall Roche, which are the ones administrating UCL Developer IDs, but they do it for iOS, which is different because it publishes things in the App Store and couldn't help much before.

Anyway, I thought it'd be good to keep a summary somewhere of what I've done, just in case I forget :)

Here it is:

1. I log in and go to my account's certificates section: https://developer.apple.com/account/ios/certificate/?teamId=8UMT23UD55
2. I select "OS X" in the top left dropdown menu.
3. I click on the + button to create a new one.
4. I select "Mac Development" from the list of options.
5. I create a CSR file with KeyChain Access as indicated in the instructions, pointing to my UCL/Apple email address.
6. I use it to create the CER file, which I then download and install.
7. I know it went well, because of the output of this command:

$ security find-identity -v -p codesigning

  3) 3632DA5324CEF2050E8F8D309F472ADE4F2E7793 "Mac Developer: Raquel Alegre (SR8E38C6L2)"

1. I sign the app like this (but I keep getting the warning when I try to open the app):

$ codesign -vvv --deep -s '3632DA5324CEF2050E8F8D309F472ADE4F2E7793' /Applications/Nammu.app
/Applications/Nammu.app: signed bundle with Mach-O thin (x86_64) [uk.ac.ucl.rc.development.oracc.nammu]

[ageorgou]

Potentially related: https://apple.stackexchange.com/questions/200844/if-i-sign-a-jar-with-a-certificate-from-comodo-will-i-still-get-warnings

This will become more of an issue as future OS X versions will require software to be notarized in addition to being signed. See here for an example for another project - thanks for bringing that up, @giordano.