Use sign4j to sign exe created with launch4j
Brought to you by:
grzegok
Menu
▾
▴
Dear,
I’m using launch4j to create Windows exe from jar.
I would use sign4j to sign exe but not undarstand how use it.
I’ve read the readme file where you say “This manipulation must be done atomically with the signing process, because doing it before would invalidate the jar file, while doing it later would break the signature.”
Somebody, can you explaine me how using sign4j with launch4j ?
Are there some configuration examples ?
Regards,
Rinaldo
keytool -genkey -noprompt -alias alias -dname "CN=CCCCCCCCC, OU=Dev, O=OOOOO, L=LLLLL, S=SSS, C=CC" -keystore keystore.jks -keysize 2048 -keyalg RSA -storepass mypassword -keypass mypassword -validity 3650
java -jar jsign-2.0.jar --keystore keystore.jks --alias alias --storepass mypassword myprogram.exe
I did some experiments but I could never make it work.
Using these commands, I create a keystore and sign my exe.
But then the exe once it's signed does not work anymore
Where is the mistake?
can someone help?
These commands work for me. Build your .exe using launch4j as you would normally. Then generate a one time key that you will use every time you sign it.
"C:\Program Files\Java\jre1.8.0_181\bin\keytool.exe" -genkey -dname "CN=YOURNAME, L=YOURCITY, ST=ST, C=US, OU=, O=YOURURL" -alias YOURURL -keyalg RSA -destkeystore keystore.pfx -keysize 2048 -storetype pkcs12You can get the jsign-2.0.jar from https://ebourg.github.io/jsign
sign4j.exe javaw -jar jsign-2.0.jar --alias 'YOURURL' --keystore 'keystore.pfx' --storepass 'yourPassword' --storetype PKCS12 'yourprogram.exe'Last edit: Jeff 2018-08-02
Thank you,
The site for jsign-2.0.jar was known to me.
But where can I get sign4j.exe?
I the only place where I found it is here:
https://github.com/fbergmann/launch4j/tree/master/sign4j
But it's a 16-bit application and it does not work in windows 10.
Is there a more updated site?
Thanks in advance
I downloaded the zip file from https://sourceforge.net/projects/launch4j/files/launch4j-3/3.12/ and it's in there.
It's in the launch4j package you've downloaded, in a folder named sign4j.
It's a 32-bit application that works on Windows 10.
Dear Grzegorz,
Sorry but I not understand as use sign4j to sign.
I try to explain you:
1) I've my executable jar exported with Ecplise (for example my.jar)
2) I've launch4j installed (that already use to create Windows my.exe from my.jar)
3) I've folder named sign4j in launch4j package
From this situation, what I must do to arrive a signed exe (for example my_signed.exe) ?
I must produce before my.exe and then sign to to trasform in my_signed.exe ?
Or other ?
Can you write me a command/commands to using sign4j to produce a signed my_signed.exe ?
Or maybe i must modified build.xml of launch4j to insert into sign4j too ?
Regards,
Rinaldo
Last edit: Rinaldo Lisario 2018-08-21
Dear Rinaldo,
You have to do it as described by Jeff.
"c:\Program Files\Java\jre-10.0.1\bin\keytool.exe" -genkeypair -alias Rinaldo.com -keyalg RSA -keystore keystore.jkssign4j.exe java -jar jsign-2.0.jar --alias Rinaldo.com --keystore keystore.jks --storepass YOUR_PASSWORD application.exeI will put some batch files and the jsign tool to demonstrate this in future releases.
You could also use other signing tools but this should work fine.
Just remember that this will create a test certificate which is not valid, and rather will not prevent antivirus false positives. You would need to buy a cert from a trusted certificate authority.
Best regards,
Grzegorz
Grzegorz, do you have any suggestions for me ?!?
Is there other way to prevent antivirus false positives ?
If I load my exe on virus total, it founds this:
- Jiangmin - TrojanSpy.Java.c
- McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc
Regards,
Rinaldo
Grzegorz, do you have any suggestions for me ?!?
Is there other way to prevent antivirus false positives ?
If I load my exe on virus total, it founds this:
- Jiangmin - TrojanSpy.Java.c
- McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc
Regards,
Rinaldo
Thanks for help Grzegorz.
Is there other way to prevent antivirus false positives ?
If I load my exe on virus total, it founds this:
- Jiangmin - TrojanSpy.Java.c
- McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc
Regards,
Rinaldo
Last edit: Rinaldo Lisario 2018-09-04
Grzegorz, do you have any suggestions for me ?!?
Is there other way to prevent antivirus false positives ?
If I load my exe on virus total, it founds this:
- Jiangmin - TrojanSpy.Java.c
- McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc
Regards,
Rinaldo
Last edit: Rinaldo Lisario 2018-09-04
Hi,
I have encountered same problem as described here - https://stackoverflow.com/questions/59073220/gradle-launch4j-exe-not-trusted-by-windows-10
Does that mean we need to purchase a commercial digital cert like https://codesigningstore.com/code-signing/comodo-code-signing-certificate , which is costing $83 / year ?
Thanks