Code Signing Best Practices
Want to keep your software and code safe?
Enter your contact information below below to receive your FREE Best Practices PDF:
“Write once, run everywhere.” This is how Sun Microsystem defined the Java programming language when it released it. A few decades later, Java really does run everywhere — from mobile phones (e.g., Android operating system) to Wikipedia search, and from cloud-based applications to the fascinating NASA WorldWind. Even Minecraft is written in Java!
This programming language is so popular among developers that, in 2023, the adoption rate of its latest long-term (LTS) support release (Java 17) grew by 430% year over year. Does it mean that applications written in Java are also highly secure? It depends. Java digital signature is the publishers’ secret weapon that keeps Java applets and applications secure against attacks and unauthorized manipulation. But what is a Java signature, exactly? What does it do? And why should you bother adding it to your products? It’s time to find out.
Java is a platform-independent, object-oriented (i.e., focused on data rather than commands) programming language used to develop web and mobile applications. Owned by Oracle, it’s easy to write and read, and runs on virtually any device.
Java is used by nearly every company (e.g., Amazon, Cloudflare, Netflix). If you’re like the 3 billion people in this world who have an Android phone, then you’re using Java. It’s the perfect match for Internet of Things (IoT) devices and cloud applications.
Its versatility is a hit, even among the bad guys who exploit it to perpetrate their crimes. Log4j attacks, malware infections, ransomware, you name it. This is where the Java security signature comes in.
A Java digital signature is a cryptographic signature that cannot be forged. It confirms the authenticity and integrity of a code (more on that in a moment), and it’s used by developers to sign Java applications that run on desktops as well as applets running in browsers.
To create a Java digital signature, publishers must first purchase a code signing certificate from a trusted certificate authority (CA); its private key will need to be stored on a secure hardware token (which the CA will issue with it by default) to meet the industry’s new requirements.
In a nutshell, a Java digital signature gives you a way to assert your digital identity on your Java software applications and show they haven’t been tampered with. This is crucial when you consider that nearly 40% of breaches start with malware.
Here’s a useful description of Java digital signatures from O’Reilly:
“Digital signatures can be used to authenticate Java class files and other types of data sent over the network. The author of an object signs the data with his or her digital signature, and we use the author’s public key to authenticate that signature after we retrieve it. We don’t have to communicate with anyone in order to verify the authenticity of the data. We don’t even have to make sure that the communications by which we received the data are secure. We simply check the signature after the data arrives.”
But the next line of the paragraph is important because it asks a critical question: “If it is valid, we know that we have the authentic data and that it has not been tampered with . . . or do we?”
A Java digital signature uses public key cryptography and PKI digital certificates. This potent combination helps a user’s operating system or client:
Interested in learning more about digital signatures? Don’t miss our deep dive into the three uses of digital signatures that can take your security strategy to the next level.
Java can be used to create and sign many types of files, including:
Let’s say you’re a developer or publisher who’s looking to sign your latest application. When applying a digital signature, you hash your code using a cryptographic function and sign the outcome (i.e., digest) with your private key. The signed hash is then packaged with your code signing certificate, a timestamp, and your application.
Voila’. This is your digital signature (i.e., signature block).
When a user downloads/installs or runs your signed application, their client will verify the signature’s validity by comparing the hash value generated with the one included in your signature block. If they match, the integrity and authenticity of the file are confirmed, and they’ll be good to go. If they don’t, they’ll be warned that your software can’t be trusted, and the installation or download will stop.
On top of it, users can also view the Java signature details by simply right-clicking on the downloaded code icon, selecting Properties and the Digital Signature tab.
Discover how code signing works by checking our article that explores the process step by step.
Java security signatures are the magic ingredients that enable software publishers and developers to boost the security of their codes and build digital trust in their products. A Java signature will:
(NOTE: To make the Windows Defender warning window disappear altogether, you’ll need to sign using an extended validation [EV] code signing certificate, which is automatically trusted by Windows operating systems and browsers.)
Image caption: Do you really want your customers viewing this alarming “Unknown Publisher” warning every time they download or run your Java-based executables?
Want to start signing and time stamping your Java applications and .jar files but you don’t know the process? Once you have purchased your Java certificate, and set up your USB token on your device, follow these five simple steps.
Java digital signatures are more than just a signature confirming the authenticity of your products. They safeguard all your Java applications and files from malicious tampering. Adding a Java digital signature using an EV code signing certificate even prevents the display of security alerts during the download and installation processes.
To add a Java signature and timestamp to your applications, .exe, .msi and .jar files, all you need to do is to:
From now on, your application will be cryptographically bound to your Java digital signature. Every time a user runs or downloads the application, their client will be able to validate its integrity. Remember, though: your Java signature’s security is directly proportionate to how carefully your private keys and certificates are stored and managed. Treat them both with care and be sure to follow other code signing best practices.
Want to see how to digitally sign a Java file using a code signing certificate? Be sure to check back on our blog, as we’ll publish a step-by-step article that will walk you through the process of signing .jar files using Windows Command-Line (CMD) using Jarsigner.