CertumCodeSigning

RubyInstaller executables are signed by a Microsoft trusted certificate. It is issued for "Open Source Developer, Lars Kanis". The certificate authority used is Certum. They provide a set of card reader and cryptographic smart card for 85€ and an annually certificate for €30. These are reduced prices for Open Source Developers. The smart card contains a private key and the certificate can be downloaded after issuing. All issuing the certificate and signing the RubyInstaller executables is currently done on Ubuntu.

The activation process of the ordered certificate is done with the help of a java applet that acts as a proxy from the web application to the smard card. It requires OpenJDK-8, PCSC and the smartcard reader driver to work properly. So on Ubuntu the following packages are necessary. Since icedtea-netx defaults to OpenJDK-17, the java default version has to be changed:

sudo apt install openjdk-8-jdk icedtea-netx libpcsclite-dev pcscd libacsccid1
sudo rm /usr/lib/jvm/default-java
sudo ln -sf /usr/lib/jvm/java-8-openjdk-amd64 /usr/lib/jvm/default-java

Then the java applet can be started on the Certum certificate activation web page or with the downloaded applet manifest like so:

javaws ~/Downloads/CertumCryptoAgent_en.jnlp 

If everything works well, the web application can generate a RSA-4096 bit key on the smart card and start the certificate issuing process.