Menu

Use sign4j to sign exe created with launch4j

Help
2018-08-02
2022-03-24
  • Rinaldo Lisario

    Rinaldo Lisario - 2018-08-02

    Dear,
    I’m using launch4j to create Windows exe from jar.

    I would use sign4j to sign exe but not undarstand how use it.

    I’ve read the readme file where you say “This manipulation must be done atomically with the signing process, because doing it before would invalidate the jar file, while doing it later would break the signature.”

    Somebody, can you explaine me how using sign4j with launch4j ?
    Are there some configuration examples ?

    Regards,
    Rinaldo

     
  • alayasf

    alayasf - 2018-08-02

    keytool -genkey -noprompt -alias alias -dname "CN=CCCCCCCCC, OU=Dev, O=OOOOO, L=LLLLL, S=SSS, C=CC" -keystore keystore.jks -keysize 2048 -keyalg RSA -storepass mypassword -keypass mypassword -validity 3650
    java -jar jsign-2.0.jar --keystore keystore.jks --alias alias --storepass mypassword myprogram.exe

    I did some experiments but I could never make it work.

    Using these commands, I create a keystore and sign my exe.
    But then the exe once it's signed does not work anymore

    Where is the mistake?
    can someone help?

     
  • Jeff

    Jeff - 2018-08-02

    These commands work for me. Build your .exe using launch4j as you would normally. Then generate a one time key that you will use every time you sign it.

    "C:\Program Files\Java\jre1.8.0_181\bin\keytool.exe" -genkey -dname "CN=YOURNAME, L=YOURCITY, ST=ST, C=US, OU=, O=YOURURL" -alias YOURURL -keyalg RSA -destkeystore keystore.pfx -keysize 2048 -storetype pkcs12

    You can get the jsign-2.0.jar from https://ebourg.github.io/jsign

    sign4j.exe javaw -jar jsign-2.0.jar --alias 'YOURURL' --keystore 'keystore.pfx' --storepass 'yourPassword' --storetype PKCS12 'yourprogram.exe'

     

    Last edit: Jeff 2018-08-02
  • alayasf

    alayasf - 2018-08-02

    Thank you,
    The site for jsign-2.0.jar was known to me.
    But where can I get sign4j.exe?
    I the only place where I found it is here:
    https://github.com/fbergmann/launch4j/tree/master/sign4j

    But it's a 16-bit application and it does not work in windows 10.
    Is there a more updated site?

    Thanks in advance

     
  • Grzegorz Kowal

    Grzegorz Kowal - 2018-08-11

    It's in the launch4j package you've downloaded, in a folder named sign4j.
    It's a 32-bit application that works on Windows 10.

     
    • Rinaldo Lisario

      Rinaldo Lisario - 2018-08-21

      Dear Grzegorz,
      Sorry but I not understand as use sign4j to sign.

      I try to explain you:
      1) I've my executable jar exported with Ecplise (for example my.jar)
      2) I've launch4j installed (that already use to create Windows my.exe from my.jar)
      3) I've folder named sign4j in launch4j package

      From this situation, what I must do to arrive a signed exe (for example my_signed.exe) ?
      I must produce before my.exe and then sign to to trasform in my_signed.exe ?
      Or other ?
      Can you write me a command/commands to using sign4j to produce a signed my_signed.exe ?

      Or maybe i must modified build.xml of launch4j to insert into sign4j too ?

      Regards,
      Rinaldo

       

      Last edit: Rinaldo Lisario 2018-08-21
  • Grzegorz Kowal

    Grzegorz Kowal - 2018-08-23

    Dear Rinaldo,

    You have to do it as described by Jeff.

    1. You have to create the test certificate once, for example like this:
      "c:\Program Files\Java\jre-10.0.1\bin\keytool.exe" -genkeypair -alias Rinaldo.com -keyalg RSA -keystore keystore.jks
    2. Download jsign-2.0.jar from https://ebourg.github.io/jsign and put it to the sign4j folder.
    3. Create the executable using launch4j as you usualy do.
    4. Run:
      sign4j.exe java -jar jsign-2.0.jar --alias Rinaldo.com --keystore keystore.jks --storepass YOUR_PASSWORD application.exe

    I will put some batch files and the jsign tool to demonstrate this in future releases.
    You could also use other signing tools but this should work fine.
    Just remember that this will create a test certificate which is not valid, and rather will not prevent antivirus false positives. You would need to buy a cert from a trusted certificate authority.

    Best regards,
    Grzegorz

     
    • Rinaldo Lisario

      Rinaldo Lisario - 2018-09-04

      Grzegorz, do you have any suggestions for me ?!?
      Is there other way to prevent antivirus false positives ?
      If I load my exe on virus total, it founds this:
      - Jiangmin - TrojanSpy.Java.c
      - McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc
      Regards,
      Rinaldo

       
    • Rinaldo Lisario

      Rinaldo Lisario - 2018-09-04

      Grzegorz, do you have any suggestions for me ?!?
      Is there other way to prevent antivirus false positives ?
      If I load my exe on virus total, it founds this:
      - Jiangmin - TrojanSpy.Java.c
      - McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc
      Regards,
      Rinaldo

       
  • Rinaldo Lisario

    Rinaldo Lisario - 2018-08-28

    Thanks for help Grzegorz.

    Is there other way to prevent antivirus false positives ?
    If I load my exe on virus total, it founds this:
    - Jiangmin - TrojanSpy.Java.c
    - McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc

    Regards,
    Rinaldo

     
  • Rinaldo Lisario

    Rinaldo Lisario - 2018-08-28
     

    Last edit: Rinaldo Lisario 2018-09-04
  • Rinaldo Lisario

    Rinaldo Lisario - 2018-09-04

    Grzegorz, do you have any suggestions for me ?!?

    Is there other way to prevent antivirus false positives ?
    If I load my exe on virus total, it founds this:
    - Jiangmin - TrojanSpy.Java.c
    - McAfee-GW-Edition - BehavesLike.Win32.Suspicious-JAR.wc

    Regards,
    Rinaldo

     

    Last edit: Rinaldo Lisario 2018-09-04

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.