Thursday 7 July 2005

New VeriSign Code Signing Certificate and old signtool.exe

Our code signing certificates at work expired recently, and we got new ones from VeriSign. The IE cab file signing works fine, but jar file signing was failing. We sign our jar files with the old signtool.exe from Netscape, because the resulting jar works on the old version of Java shipped with Netscape 4.x, as well as the newer plugins.

I quickly diagnosed the problem to be an updated VeriSign CA certificate that the old signing tools did not recognize. Our new certificate was signed by VeriSign Class 3 Code Signing 2004 CA, which from the name, you'd guess has been in use for only the last 6 - 18 months.

Having diagnosed the problem, the solution seemed simple. Install the new CA certificate into signtool's certificate registry, and we're done. So I set about trying to find the CA certificate. This proved far more difficult than it should be, and is the reason why I decided to document this experience so others could benefit.

Clicking around VeriSign's website turned up nothing useful. Any parts of the site that looked like they might contain relevant information quickly took me to a form to enter all my details so a representative could contact me. I don't want to be annoyed by phone calls and emails from your sales droids, VeriSign, I already have a certificate, I just want it to work!

Next step was a google search. One article I found pointed me to the root certificate download on VeriSign's site, which sounded promising, but alas, the Root certificate zip file did not contain the Code Signing 2004 CA.

Eventually, I gave up searching, and started to look more closely at what I had received from VeriSign. I had a Microsoft Code Signing certificate that worked, and a Netscape Object signing certificate that didn't. I opened up IE, and had a look at the certificate that had been installed (Tools menu/Internet Options, Content, Certificates). On the Details panel, I found what I had been looking for. One of the details is labeled Authority Information Access. Under there, was a URL for downloading the CA certificate. After downloading that in Netscape, my code signing is now working again.

No comments: