• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

code signing - a few questions

 
adam spline
Greenhorn
Posts: 18
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I am working on an application (and applet) that needs to be signed (not just self-signed). I am looking at using GoDaddy.

Unlike most things in Java world, with code signing it does not seem to be easy to test things without putting out the cash first. So, I would like to ask some quick questions.

[1] for java signing, I imagine you can use any computer to sign the code (ie it does not need to be signed on the computer that is the webserver). Correct?

[2] Is there any relationship between the computer I use to sign the code and the signed code itself. For example, lets say I buy a code signing cert from godaddy, but then I change my development computer. Can I still use that same cert on a different comptuer, or is it somehow "linked" to the computer that is used? In other words, if my dev machine crashes, will I need to buy a new cert from GoDaddy (or wherever).

[3] Has anyone used GoDaddy for code signing. Are there any gotchas?

[4] I assume that once a code is properly signed, it should work on any platform with a proper JVM... correct?

Anyway, just thought I would ask these questions before I put out the cash with GoDaddy.

Thanks,

-Adam
 
Gregg Bolinger
Ranch Hand
Posts: 15304
6
Chrome IntelliJ IDE Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
[1] Yes, you can use a self-signed cert created from your computer. Technically, you can put this in production and it will work. But since it is your cert, people might be reluctant to trust it.

[2] I'm about 85% sure the answer to this question is you can use the same cert. It's been several years since I've had to do anything with applet signing in production.

[3] No, I didn't. The company I worked for bought the cert and I dont remember who from

[4] Correct.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Agree with Gregg. As to #2, yes - the certificate is portable, so it doesn't matter on which machine it's used.

Note that there are different classes of certificates, though, e.g. certificates that are meant to be used for SSL are bound to a specific server name - needless to say, that's not what you want.
 
Paul Clapham
Sheriff
Posts: 21322
32
Eclipse IDE Firefox Browser MySQL Database
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
[2] Yes, when my company bought the Verisign certificate, I signed the applet on my development machine and deployed it to the web server. No problems.

[3] I didn't even know that GoDaddy was in the certificate business. Anyway if it is, the gotcha would be that the customer's browsers might not recognize their certificates as trusted. Browsers are shipped with code to recognize certificates from the well-known trust-sellers like Verisign and Thawte but not necessarily others. Perhaps GoDaddy has a sample applet which they can demonstrate their certificates with.
 
Ulf Dittmer
Rancher
Posts: 42968
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Paul Clapham wrote:the gotcha would be that the customer's browsers might not recognize their certificates as trusted. Browsers are shipped with code to recognize certificates from the well-known trust-sellers like Verisign and Thawte but not necessarily others.

Actually, these days the standard browsers ship with certificates from lots of providers - my Firefox has dozens of them, including GoDaddy. You can view them via Preferences -> Advanced -> Encryption -> View Certificates. (My list had several outdated certificates, and some by providers I considered suspect, so I deleted those.)

According to http://en.wikipedia.org/wiki/Certificate_authority#Providers, GoDaddy actually has a market share of >20%.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic