[an error occurred while processing this directive] [an error occurred while processing this directive]
Home > Support

Code Signing FAQs



The links displayed below contain information on using third-party signing tools such as Microsoft Authenticode and the Netscape Signing Tool. Click the Appropriate Signing Application Below:

   Marimba Castanet
   Microsoft Authenticode IE5.0 or Higher
   Microsoft Office 2000 & VBA
   Netscape Object Signing
   Sun Java Signing



Marimba Castanet

When I download a piece of software over the Internet, my Castanet tuner shows me a VeriSign "certificate." What does this certificate mean?
Display of the VeriSign software publisher certificate provides end users with assurance of the identity of the individual or organization who published this piece of software and with assurance that the software has not been altered or tampered with since it left the software publisher. VeriSign maintains rigorous procedural and quality control standards in the authentication of publishers and in the creation, issuance, and maintenance of certificates. These standards are documented in the VeriSign Certification Practices Statement (CPS). For more information, please see www.verisign.com/repository/CPS. Given this information and assurance, end users can make an informed decision about downloading this software from the Internet.

What kinds of content can I sign with Channel Signing IDs?SM?
Any content distributed over a Marimba Castanet channel can be signed. Examples include: text, multimedia, JavaScripts, HTML pages, Java applets, Java applications, and Marimba Bongo presentations. Signed objects can be anything which will be distributed over a Marimba Castanet channel. Examples include: text, multimedia, HTML pages, Java applets, JavaScripts, plugins, or any other kind of code.

How do I sign content using Channel Signing IDs?
Signing code is a very quick process, and needs to be done only once, just before distribution. Software publishers can step through the code-signing process easily within a few minutes. Signing a channel is easy once you receive your Channel Signing Digital ID from VeriSign. The Castanet Publisher helps you request and install your ID and then allows you to sign channels with it. However, it currently takes 3-5 days to issue new certificates; be sure to allow for this delay in your publishing schedule. For publishers, content signing requires just nine steps: To sign a channel:
  1. Download the latest version of Marimba's Castanet Technology (later than v1.1).
  2. Start the Castanet publisher and set the normal publishing properties.
  3. From the Security tab, click Request Certificate.
  4. Apply for a Channel Signing Digital ID using the instructions in the wizard that appears. As part of the application process, VeriSign will ask a number of important questions about you and your organization, which it will use to authenticate your identity. Identity authentication is an involved, highly manual process. Once you have completed the application, it will take approximately 3-5 days to verify your information and issue a Digital ID.. At the end of this process, you will have both a VeriSign certificate and a private key that you must store securely. You will need both to sign your content.
  5. After you receive your Channel Signing PIN, return to the Security tab in the Castanet publisher and click Install. You will need to provide the PIN that came in the email message from VeriSign. You must install your certificate using the same copy of the Castanet publisher application that you used during the request process. (At the end of this process, you will have both a VeriSign certificate and a private key that is stored securely. You will need both to sign your channels.)
  6. Select your certificate from the certificate list and check the Enable Channel Signing checkbox. Select the appropriate channel signing options for the channel
  7. Click Apply to save your changes. When you're ready to publish the channel, click Publish. The publisher sends your channel to your transmitter. Subscribers to your channel will see that the channel is signed and can examine your certificate.
  8. Note: You will need to enroll for and install your Digital ID using the same copy of Marimba Castanet.
  9. Sign your files
    Information on signing files using Marimba Castanet may be found in the Marimba HELP file.


I am a developer outside of the United States and Canada. How can I get a Channel Signing ID?
International commercial publishers can obtain a Digital ID from VeriSign, if they have a Dun & Bradstreet number or written, translated proof of company registration (e.g. Articles of Incorporation).

What can I do to speed up the issuance process?
Because Digital IDs are only issued after significant, and highly manual, authentication procedures, turn around times for these certificates are not immediate. Nevertheless, you can speed the process by:
  • Using a proper Dun & Bradstreet DUNS number as your Organizational Proof of Right. (Almost ALL organizations have DUNS numbers. You can look yours up by going to www.dnb.com).
  • Pay by credit card
  • Check and re-check all information on your enrollment form for completeness and accuracy
  • Make sure that the person who is chosen as the Organizational Contact is: a duly authorized employee of your organization, informed about Digital IDs, and easily available for contact. (We must speak directly with the organizational contact before issuing a Digital ID.)


Will Software Publisher Digital IDs purchased for use with Microsoft Authenticode work for Channel Signing?
Unfortunately, no. Due to technological differences between Authenticode, and Channel Signing, as well as differences in the security and authentication policies of Microsoft and Marimba, software publishers will need to obtain separate software signing certificates if they wish to sign code for Authenticode. VeriSign is actively investigating options for making these certificates interoperable.

Where are my private key and certificate stored?
You were prompted for a location to store your private key when you enrolled for your Digital ID. Most people choose to store a copy of their private key on a diskette which is kept in a secure location, with the extension *.p12

How can I view a channel signing certificate in the Castanet environment?
To view your certificate, you can view a certificate using the Castanet publisher or the Castanet tuner. To view your certificate using the publisher:
  • Open Castanet publisher
  • Select any channel for editing
  • Click the Security tab
  • Select the certificate you want to view
  • Click View Certificate
To view a certificate using the tuner:
  • Open the Tuner
  • From the Channels tab, select a channel published with the certificate you want to view (signed channels have a pen icon in the channel security column)
  • Select Channel Security from the Channel menu
  • Click Certificate.


How long is a certificate valid? What happens once it expires?
A certificate is valid for one year. You can check the validity dates of your certificate by viewing the certificate. For more information on viewing a certificate, refer to "How can I view a channel signing certificate in the Castanet environment?" in this FAQ. In addition, users attempting to download signed objects after the expiration date will be informed that the certificate has expired. In some cases, this will mean that, by default, they will not be able to download the signed objects. Therefore, in considering your product lifecycle, you will want to renew your Digital ID, and re-sign objects with it, on a regular basis. For your convenience, VeriSign will notify you three weeks before your ID is due to expire.

Is there timestamping associated with Channel Signing IDs?
Not at this time. However, Marimba and VeriSign are exploring this option.

Is VeriSign offering Class 2 Individual Channel Signing IDs?
No. Given the nature of the Marimba Castanet product, we did not feel that a Class 2 ID would provide appropriate security for this environment.

How much are Channel Signing IDs?
Channel Signing IDs are $400 each. There is no discount at this time for volume purchases.
  • Digital ID is valid for one year
  • Includes full-lifecycle services
  • Includes $100,000 in NetSure protection.


What is NetSure?
NetSure is a program which guards against economic loss due to theft, impersonation, corruption or loss of use of a VeriSign Digital ID. This groundbreaking protection program for Internet commerce was developed with, and is backed by, one of the country's leading insurance underwriters - United States Fidelity & Guaranty Company (USF&G). For more details, please see www.verisign.com/repository/index.html

Where should I go if I have more questions?
For questions regarding the use of your Marimba Transmitter or Tuner, please call Marimba directly, or visit www.marimba.com/ For questions regarding your Digital ID, including installation, revocation, renewal, etc. please write to http://www.verisign.com/support/contact.html.

Microsoft Office 2000 & VBA

I have checked the "Always Trust" check box after verifying a signature signed by Microsoft's VBA signer. Where can I see a list of all my "trusted sources".

The list of "trusted sources" is stored within the application that the signature is attached to, for example if you have trusted a signature on an Excel document you will use the following path to see your "trusted sources" TOOLS/MACRO/SECURITY/TRUSTED SOURCES.

Sun Java Signing

Q. What is the VeriSign Sun Java Signing Digital ID used for?

A. It is used to sign a Java applet, which is a small program written using the Java SDK.

Q. Who would want to purchase the VeriSign Sun Java Signing Digital ID?

A. Developers who want to distribute his/her software (java applets) over the network to a number of users. A developer would sign the Java applet using the Digital ID and distribute the signed code. The signed applet downloads at runtime and executes in the context of a JVM hosted by the browser.

This would allow the users to:
  1. Identify the Java applet signers: Signed Java applets include digital signatures that allow users to identify the signer i.e. developer
  2. Detect tampering: With the help of digital signatures, Sun Java Signing allows users to determine if someone other than the signer has modified the applets.
  3. Determine what an applet wants to do: When the Java applet needs access to local system resources, the browser displays a dialog box that shows the user what kind of access it wants to have. These three features provide the end user with a context for making decisions about downloaded code.


Q. What are the minimum requirements to use the Sun Java Signing Digital ID?

A. Special requirements: Tools/SDK version:
  1. The Java Applet needs to be written using the Java 2 SDK v1.3. (J2SEv1.3 is the first SDK from Sun with an RSA signature provider). Download available at http://java.sun.com/j2se/1.3/
  2. Java Plug-in v1.3: This allows web page authors to direct Java applets on their web pages to run using Sun's Java Runtime Environment (JRE) instead of the browser's default run time environment and hence be confident that the applets are executed with full support for all of the features and capabilities of Java 2 SDK 1.3 in Microsoft's IE 5.0 or later, and Netscape's Navigator 4.0 or later on various Win32 platforms and Solaris platforms.

    Download available at: http://java.sun.com/products/plugin/index.html.


Q. When downloading the signed applet, the security dialog does not pop up. Why?

A. If the JAR file is not signed properly, if the RSA certificate has expired, or if the RSA certificate is a self-generated self-signed certificate, Java Plug-in may fail silently and will not pop up the security dialog. The applet will be treated as unsigned.

Instructions for signing files with a Java Object Signing ID can be found at: http://java.sun.com/products/plugin/1.3/docs/rsa_signing.html

Q. The Netscape Signing Tool complains about "Invalid Jar File Format". The JAR file file was created using JAR tool. Why am I getting this error?

A. The Netscape Signing Tool is very particular about JAR file format. In Netscape Signing Tool, it expects the MANIFEST file to be at the end of the JAR file, whereas Jarsigner puts it at the beginning.

Q. The standard does not mandate where the MANIFEST should be in the JAR file. Therefore, if you create a JAR file using Jar tool, the Netscape Signing Tool may complain about "Invalid Jar File Format". On the other hand, Jarsigner is not picky; it can verify JAR files regardless of whether their MANIFEST is at the beginning or at the end. To workaround this problem when using Netscape Signing Tool, you should generate the JAR file and sign it through the tool itself. hat kind of file can be signed with the Java Object Signing ID?

A. To sign applets with RSA certificates with Jarsigner, the applets must be bundled as JAR files. Jar tool is provided as part of the Java 2 Software Development Kit.

Information for using Jar tool can be found under "Java Applets" at the following URL: http://java.sun.com/products/plugin/1.3/docs/rsa_signing.html

Q. What kind of file can be signed with the Java Object Signing ID?

A. To sign applets with RSA certificates with Jarsigner, the applets must be bundled as JAR files. Jar tool is provided as part of the Java 2 Software Development Kit. Information for using Jar tool can be found under "Java Applets" at the following URL:

http://java.sun.com/products/plugin/1.3/docs/rsa_signing.html Q. Why You Should Install Java Plug-in?

A. With Java Plug-in installed in your browser, it will use the Java 2, Standard Edition runtime environment when encountering an applet-rather than its own default Java runtime. This provides the applet with the latest features and capabilities of Java 2 technology and eliminates the inconsistencies of an unknown runtime.

Q. What Platforms Does Java Plug-in Support?

Java Plug-in supports the following platforms:
  • Solaris SPARC
  • Solaris Intel
  • Windows 95/98/2000/NT 4.0 (Intel Platform)
  • Linux (x86 Platform)


Q. How do I Install Java Plug-in?

STEP 1: Check Your System Requirements:
Windows:
  • Internet Explorer 4.0 or higher, Netscape 4.0 or higher
  • Pentium 166 Mz or faster processor
  • System RAM: 32 MB minimum-48 MB or more recommend

Solaris:
  • Solaris 2.6, 7 or 8.
  • Recommended and required patches should be installed. (The list of patches can be found at http://java.sun.com/j2se/1.3/install-solaris-patches.html)
  • For x86 version of Solaris, 486/DX or faster processor.
  • System RAM: 32 MB minimum-48 MB or more recommendedbr>
    Java Plug-in supports the following platforms:
    • Solaris SPARC
    • Solaris Intel
    • Windows 95/98/2000/NT 4.0 (Intel Platform)
    • Linux (x86 Platform)


    Q. How do I Install Java Plug-in?

    STEP 1: Check Your System Requirements:
    Windows:
    • Internet Explorer 4.0 or higher, Netscape 4.0 or higher
    • Pentium 166 Mz or faster processor
    • System RAM: 32 MB minimum-48 MB or more recommend

    Solaris:
    • Solaris 2.6, 7 or 8.
    • Recommended and required patches should be installed. (The list of patches can be found at http://java.sun.com/j2se/1.3/install-solaris-patches.html)
    • For x86 version of Solaris, 486/DX or faster processor.
    • System RAM: 32 MB minimum-48 MB or more recommended.

    Linux:
    • Red Hat Linux 6.1
    • Linux Kernel v 2.2.12 and glibc v 2.1.2.
    • System RAM: 32 MB minimum-48 MB or more recommend.
    • 16-bit color mode, KDE and KWM window managers.

    STEP 2: Download Java Runtime Environment (JRE)
    Download Java Runtime Environment (JRE), which includes the Java Plug-in.
    where JRE Version is the version you want to download; for example, 1.3 Select the appropriate download type according to your OS and Platform.
    STEP 3: Install the JRE by following the installation instructions:
    Windows:
    After downloading the file, double-click on its icon to run the installer. Follow the instructions the installer provides.
    Solaris & Linux:
    Make sure that execute permission is set on the self-extracting binary. Change directory to the desired install location, then run the self-extracting binary.
    For example, on Sparc: 
    chmod +x j2re-1_3_0-solsparc.bin 
j2re-1_3_0-solsparc.bin

    STEP 4: Set NPX_PLUGIN_PATH (NETSCAPE on Solaris or Linux ONLY):
    NOTE: If you use Internet Explorer or Netscape on Windows, GO TO STEP 5.
    1. Set the environment variable NPX_PLUGIN_PATH to the directory containing the javaplugin.so file. For example, in the default installation on Sparc:
    • export NPX_PLUGIN_PATH=/usr/j2se/jre/plugin/sparc/ns4 (for Netscape 4.x) (bourne/bash shell).
    • export NPX_PLUGIN_PATH=/usr/j2se/jre/plugin/sparc/ns600 (for Netscape 6.0 browser)
    • setenv NPX_PLUGIN_PATH /usr/j2se/jre/plugin/sparc/ns600 (csh shell).

    2. Start your Netscape browser (from the terminal where you set NPX_PLUGIN_PATH), or restart if it is already running.
    Note: With Linux and Netscape 6.0 you do not set the NPX_PLUGIN_PATH environment variable, but instead make a soft link from netscape/plugins to 
    jre/plugin/i386/ns600/libjavaplugin_oji.so

    Example: ln -s 
    jre/plugin/i386/ns600/libjavaplugin_oji.so netscape/plugins/
    . Where, jre is the path to your Java Runtime Environment (JRE) installation.
    3. Restart your browser a second time (this is a Netscape bug workaround).
    STEP 5: Test your browser
    Your browser should now be ready to display Java 2 applets.
    Go to
    http://java.sun.com/products/plugin/1.3/demos/applets.html .
    Click on any one of the demos to see if it works in your browser.

    Converting Your HTML Pages (For Web Page Authors and Developers ONLY)
    In order for the Java Plug-in to be used for running applets on your web pages, you will need to convert (modify) some of the html tags on those pages. In order to help you do this, an HTML Converter has been provided.
    1. Download the HTML Converter from http://java.sun.com/products/plugin/(JRE Version)/converter.html
    2. Unzip the HTML Converter zip file to the directory of your choice. On Windows: Use WinZip version 7.0 or higher to unzip the file. On Solaris or Linux : Type in unzip filename.zip. For example, unzip htmlconv-1_3_0_01.zip
    3. Launch the GUI version of the converter:
    At the command line, cd to the HTML Converter Directory
    For Java Plug-in version 1.3:
    On Windows: cd into the converter\classes directory.
    Launch the converter with the command:
    java -classpath .
    HTMLConverter on Solaris or Linux: cd into the converter/classes directory. Launch the converter with the command:
    java -classpath .
    HTMLConverter for Java Plug-in version 1.3.0_01 and higher:
    On Windows: Launch the converter with the command:
    java -jar htmlconv1_3_0_01.jar -gui
    On Solaris or Linux: Launch the converter with the command:
    java -jar htmlconv1_3_0_01.jar -gui
    4. Select the folder or file(s) to be converted.
    5. Convert the document(s) by clicking on the "Convert" button.
    Your HTML page now allows applets to be run with the Java Plug-in. If users viewing your pages do not have the plugin installed, they are directed to the Java Plug-in download page.
    For instructions with more detail, please refer to
    http://java.sun.com/products/plugin/1.3/docs/htmlconv.html
    Help for Applet Debugging
    Using the Java Console:
    1. Start the Java Plug-in Control Panel to set various options for the Plug-in: On Windows: From the Windows Control Panel, double-click the Duke icon labeled "Java Plug-in Control Panel".
    On Solaris and Linux: Launch the Control Panel executable file, which is located at JRE Installation Directory/jre/bin/ControlPanel
    1. Show Java Console: You can select this option (it is unchecked by default) to display the Java Console while running applets or JavaBeans components. The console displays messages depending on the options that you set for it. It can be very useful for debugging problems.

    For further information about the Plug-in Control Panel, go to:
    http://java.sun.com/products/plugin/1.3/docs/controlpanel.html

    For more information on applet debugging, go to:
    http://java.sun.com/products/plugin/1.3/docs/debugging.html

    For new information (i.e. news, documentation, latest releases) about the Java Plug-in, refer to:
    http://java.sun.com/products/plugin/index.html

    Java Plug-in Documentation can be found at:
    http://java.sun.com/products/plugin/1.3/docs/index.docs.html

    For miscellaneous questions about Java Plug-in usage and deployment, see the Java Plug-in FAQs at:
    http://java.sun.com/products/plugin/1.3/plugin.faq.html

    If your question is not answered in the FAQ, please send e-mail to:java-plugin-feedback@sun.com
[an error occurred while processing this directive]