Dear,
I’m using launch4j to create Windows exe from jar.
I would use sign4j to sign exe but not undarstand how use it.
I’ve read the readme file where you say “This manipulation must be done atomically with the signing process, because doing it before would invalidate the jar file, while doing it later would break the signature.”
Somebody, can you explaine me how using sign4j with launch4j ?
Are there some configuration examples ?
Regards,
Rinaldo
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
These commands work for me. Build your .exe using launch4j as you would normally. Then generate a one time key that you will use every time you sign it.
Dear Grzegorz,
Sorry but I not understand as use sign4j to sign.
I try to explain you:
1) I've my executable jar exported with Ecplise (for example my.jar)
2) I've launch4j installed (that already use to create Windows my.exe from my.jar)
3) I've folder named sign4j in launch4j package
From this situation, what I must do to arrive a signed exe (for example my_signed.exe) ?
I must produce before my.exe and then sign to to trasform in my_signed.exe ?
Or other ?
Can you write me a command/commands to using sign4j to produce a signed my_signed.exe ?
Or maybe i must modified build.xml of launch4j to insert into sign4j too ?
Regards,
Rinaldo
Last edit: Rinaldo Lisario 2018-08-21
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You have to create the test certificate once, for example like this: "c:\Program Files\Java\jre-10.0.1\bin\keytool.exe" -genkeypair -alias Rinaldo.com -keyalg RSA -keystore keystore.jks
I will put some batch files and the jsign tool to demonstrate this in future releases.
You could also use other signing tools but this should work fine.
Just remember that this will create a test certificate which is not valid, and rather will not prevent antivirus false positives. You would need to buy a cert from a trusted certificate authority.
Best regards,
Grzegorz
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Grzegorz, do you have any suggestions for me ?!?
Is there other way to prevent antivirus false positives ?
If I load my exe on virus total, it founds this:
- Jiangmin - TrojanSpy.Java.c
- McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc
Regards,
Rinaldo
Grzegorz, do you have any suggestions for me ?!?
Is there other way to prevent antivirus false positives ?
If I load my exe on virus total, it founds this:
- Jiangmin - TrojanSpy.Java.c
- McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc
Regards,
Rinaldo
Is there other way to prevent antivirus false positives ?
If I load my exe on virus total, it founds this:
- Jiangmin - TrojanSpy.Java.c
- McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc
Regards,
Rinaldo
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Is there other way to prevent antivirus false positives ?
If I load my exe on virus total, it founds this:
- Jiangmin - TrojanSpy.Java.c
- McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc
Dear,
I’m using launch4j to create Windows exe from jar.
I would use sign4j to sign exe but not undarstand how use it.
I’ve read the readme file where you say “This manipulation must be done atomically with the signing process, because doing it before would invalidate the jar file, while doing it later would break the signature.”
Somebody, can you explaine me how using sign4j with launch4j ?
Are there some configuration examples ?
Regards,
Rinaldo
keytool -genkey -noprompt -alias alias -dname "CN=CCCCCCCCC, OU=Dev, O=OOOOO, L=LLLLL, S=SSS, C=CC" -keystore keystore.jks -keysize 2048 -keyalg RSA -storepass mypassword -keypass mypassword -validity 3650
java -jar jsign-2.0.jar --keystore keystore.jks --alias alias --storepass mypassword myprogram.exe
I did some experiments but I could never make it work.
Using these commands, I create a keystore and sign my exe.
But then the exe once it's signed does not work anymore
Where is the mistake?
can someone help?
These commands work for me. Build your .exe using launch4j as you would normally. Then generate a one time key that you will use every time you sign it.
"C:\Program Files\Java\jre1.8.0_181\bin\keytool.exe" -genkey -dname "CN=YOURNAME, L=YOURCITY, ST=ST, C=US, OU=, O=YOURURL" -alias YOURURL -keyalg RSA -destkeystore keystore.pfx -keysize 2048 -storetype pkcs12
You can get the jsign-2.0.jar from https://ebourg.github.io/jsign
sign4j.exe javaw -jar jsign-2.0.jar --alias 'YOURURL' --keystore 'keystore.pfx' --storepass 'yourPassword' --storetype PKCS12 'yourprogram.exe'
Last edit: Jeff 2018-08-02
Thank you,
The site for jsign-2.0.jar was known to me.
But where can I get sign4j.exe?
I the only place where I found it is here:
https://github.com/fbergmann/launch4j/tree/master/sign4j
But it's a 16-bit application and it does not work in windows 10.
Is there a more updated site?
Thanks in advance
I downloaded the zip file from https://sourceforge.net/projects/launch4j/files/launch4j-3/3.12/ and it's in there.
It's in the launch4j package you've downloaded, in a folder named sign4j.
It's a 32-bit application that works on Windows 10.
Dear Grzegorz,
Sorry but I not understand as use sign4j to sign.
I try to explain you:
1) I've my executable jar exported with Ecplise (for example my.jar)
2) I've launch4j installed (that already use to create Windows my.exe from my.jar)
3) I've folder named sign4j in launch4j package
From this situation, what I must do to arrive a signed exe (for example my_signed.exe) ?
I must produce before my.exe and then sign to to trasform in my_signed.exe ?
Or other ?
Can you write me a command/commands to using sign4j to produce a signed my_signed.exe ?
Or maybe i must modified build.xml of launch4j to insert into sign4j too ?
Regards,
Rinaldo
Last edit: Rinaldo Lisario 2018-08-21
Dear Rinaldo,
You have to do it as described by Jeff.
"c:\Program Files\Java\jre-10.0.1\bin\keytool.exe" -genkeypair -alias Rinaldo.com -keyalg RSA -keystore keystore.jks
sign4j.exe java -jar jsign-2.0.jar --alias Rinaldo.com --keystore keystore.jks --storepass YOUR_PASSWORD application.exe
I will put some batch files and the jsign tool to demonstrate this in future releases.
You could also use other signing tools but this should work fine.
Just remember that this will create a test certificate which is not valid, and rather will not prevent antivirus false positives. You would need to buy a cert from a trusted certificate authority.
Best regards,
Grzegorz
Grzegorz, do you have any suggestions for me ?!?
Is there other way to prevent antivirus false positives ?
If I load my exe on virus total, it founds this:
- Jiangmin - TrojanSpy.Java.c
- McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc
Regards,
Rinaldo
Grzegorz, do you have any suggestions for me ?!?
Is there other way to prevent antivirus false positives ?
If I load my exe on virus total, it founds this:
- Jiangmin - TrojanSpy.Java.c
- McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc
Regards,
Rinaldo
Thanks for help Grzegorz.
Is there other way to prevent antivirus false positives ?
If I load my exe on virus total, it founds this:
- Jiangmin - TrojanSpy.Java.c
- McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc
Regards,
Rinaldo
Last edit: Rinaldo Lisario 2018-09-04
Grzegorz, do you have any suggestions for me ?!?
Is there other way to prevent antivirus false positives ?
If I load my exe on virus total, it founds this:
- Jiangmin - TrojanSpy.Java.c
- McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc
Regards,
Rinaldo
Last edit: Rinaldo Lisario 2018-09-04
Hi,
I have encountered same problem as described here - https://stackoverflow.com/questions/59073220/gradle-launch4j-exe-not-trusted-by-windows-10
Does that mean we need to purchase a commercial digital cert like https://codesigningstore.com/code-signing/comodo-code-signing-certificate , which is costing $83 / year ?
Thanks