It took myself and 3 support guys and gals from GlobalSign to finally get this working.
I really like the idea of the USB Token as my understanding is it’s quite portable. I can move the USB Key to any computer and as long as I have the drivers installed, I should in theory be able to sign my software. In this case, it’s an Adobe AIR app.
My Setup is a Mac using AIR 27, but I don’t think the version of AIR Will matter as long as it’s not overly dated. Make note of the version of JAVA you have though, and match the paths up from below. This works fine with a 64 Bit version of Java.
It basically all boils down to the following.
- You apply for the code signing certificate from an authority. In my case this time, GlobalSign. You will need to go through an application process that involves proof of your business including phone number and address.
- They will send you an email when the application is approved and SNAIL MAIL you out the USB key with the token on it. This took about a week to get from New York to Edmonton CA. I was stumped a bit, because I never received the certificate pickup email, so I had to contact them to rectify this. It took about 1 day to get that sorted out.
- You install the drivers for the USB token, in this case it was a SafeNet Authentication Client for your OS.
- You pick up the certificate via the email from the authority after everything is approved. In the case of GlobalSign, you MUST use Internet Explorer to do this. Thank goodness for BootCamp.
- Plug the token in, and it will ask you to immediately change the password for the token. I believe the default was 1234567890 or 0123456789 I can’t recall which, but it was documented on GlobalSign’s website. Then you import the certificate into the USB Token. Now, It’s portable 🙂
- Now take note of the “Container Name” of your certificate in the My Token > User Certificates > CompanyName Private Key. You’ll need this to run the final signing command.
Now that your token is all setup on the USB, the next trick (which was the hard part) is figuring out the correct steps to actually sign the software. By now, I’ve moved the USB Key back to my development Mac.
1. Edit the AIR ADT.
Step 1 is to edit the AIR ADT in a simple text editor (I used Visual Studio Code). The ADT should look like the following
#!/bin/sh here=$(dirname "$0") /Library/Java/JavaVirtualMachines/jdk1.8.0_144.jdk/Contents/Home/bin/java -Dfile.encoding=UTF-8 -jar "$here/../lib/adt.jar" "$@"
2. CREATE AN eToken.cfg File
name=eToken library=/usr/local/lib/libeTPkcs11.dylib slot=0
Put this file next to the adt.
3. Editing the Java.Security File
Open the java.security file form your Java Runtime Environment (JRE) Installation.
win: C:\Program Files\Java\jdk1.8**\jre\lib\security
and add the following lines after:
4. Building the AIRI file
Now, build the package as you normally would, but be sure to build an .airi file instead of an .air file. Because we’re not migrating here, we need an unsigned file.
5. Signing the File
Now everything is set. Using terminal (or command) put everything in the bin folder of the AIRSDK where the adt is located. so your folder should have the following files
And run the following line:
./adt -sign -tsa http://timestamp.globalsign.com/scripts/timestamp.dll -storetype PKCS11 -alias "CONTAINER_NAME" -providerName SunPKCS11-eToken MyApp.airi MyApp-Signed.air
If all worked, you will be prompted for your password (This is your token password) and then you should see the USB Key Flash a bit, and you will have your newly signed output file.