[SOLVED] Thawte code signing issuer CA missing

The public knowledge pool and discussion forum of the OWS community. Do not post confidential information here!
fmeili1
Posts: 2
Joined: 08 Jan 2021, 21:52

[SOLVED] Thawte code signing issuer CA missing

Post by fmeili1 »

Hi,

while launching an applications with signed jar files, OpenWebStart complains with the message "The application's digital signature cannot be verified...". The certificate used to sign the jar files are issued from

CN=thawte SHA256 Code Signing CA - G2

and this is issued from

CN=thawte Primary Root CA - G3

I found, that only the "CN=thawte Primary Root CA - G3" is available in the OpenWebStart trust store. But the code signing CA "CN=thawte SHA256 Code Signing CA - G2" is missing. So OpenWebStart can't verify the trust chain. After downloading the "CN=thawte SHA256 Code Signing CA - G2" from Thawte and imported it, it works.

It would be great if this well known code signing CA from Thawte would be included via default in the OpenWebStart keystore to verify signed jars. Maybe all applications which are signed with a Thwate code signing certificate will have is issue. The manually step to download and import this missing CA may be an issue for OpenWebStart users.

Here are the details of this missing certificate:
thawte SHA256 Code Signing CA - G2.png
thawte SHA256 Code Signing CA - G2.png (103.25 KiB) Viewed 5673 times
Thanks and regards,
Frank

Stephan Classen
Posts: 232
Joined: 27 Mar 2020, 09:55

Re: Thawte code signing issuer CA missing

Post by Stephan Classen »

Hi

Thank you for reporting this.
OpenWebStart does not maintain a curated collection of certificates. Rather it relies on the JVM which brings a default set of certificates.
With our halve year releases (spring and fall) we also update the bundled JVM and thus the included certificates.

But this is only half of the solution. Besides the bundled JVM OpenWebStart will also launch a different JVM for the application. The selected JVM is determined by the JNLP and the configuration of OpenWebStart. As a consequence during the execution of the application the certificates of the selected JVM are available. We do not have any influence on the JVM which is chosen thus cannot control which certificates will be available.

We are happy to hear that you have found a workaround and hope others will find your solution useful if they encounter the same issue.

Janak Mulani
Posts: 726
Joined: 24 Mar 2020, 13:37

Re: Thawte code signing issuer CA missing

Post by Janak Mulani »

>
After downloading the "CN=thawte SHA256 Code Signing CA - G2" from Thawte and imported it, it works.
>

Just for information, in which JVM's certificate store did you import the above certificate, OWS's bundled JVM or the JVM that you use to run the app?

Thanks

fmeili1
Posts: 2
Joined: 08 Jan 2021, 21:52

Re: Thawte code signing issuer CA missing

Post by fmeili1 »

Hi all,

@Stephan: Thanks for explanation about the certificate handling. It looks like software vendors which sign jar files should try to find a signing certificate from a CA which uses one of the well known root CA's for signing instead of relying on some intermediate signing certificates.

@Janak: I've imported it via OpenWebStart certificate viewer and imported it as a "Trusted Certificate" as "user". The keystore path is shown as /home/<userid>/.config/icedtea-web/security/trusted.certs

Frank


Post Reply