Properly signing and verifying jar files
Posted on 2014-02-09
I'm beginning to have a big problem now that clients are updating their machines to the new version of java:
java version "1.7.0_51"
Java(TM) SE Runtime Environment (build 1.7.0_51-b13)
Java HotSpot(TM) 64-Bit Server VM (build 24.51-b03, mixed mode)
Since this has happened, they can no longer run a jnlp application that we've built. On top of that, the cert that was in place expired two days ago.
I've obtained a new cert which is issued by InCommon Server CA. For the java jnlp app, I've generated a new keystore from this cert and signed all jar files with this new keystore.
Then I've verified the jar files, e.g.
This jar contains entries whose signer certificate will expire within six months.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2014-05-10) or after any future revocation date. "
After all files have been copied to the server and tomcat has been restarted, I am getting the blocked message: "Application Blocked by Security Settings. Your security settings have blocked a self-signed application from running."
I can reduce the security slider to medium in the java control panel and it will allow me to run this application. When I do that, I'll get a popup stating, "Do you want to run this application? Publisher: UNKNOWN ... This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute."
Obviously, I do not want the sites to have to reduce the security slider to medium and I also think Oracle will remove that option in the future.
So I'm back to signing the app. I have a legitimate cert from InCommon CA and this should work. I'm doing exactly what I've done in the past for creating the keystore and signing the jars. That seems to not work this time around. Also, if I recall, in the past, when the app launched it would always show "Unknown Publisher". So maybe that was not done correctly before and now with update 51, it's catching up with me.
Can you please provide any helpful information, particularly with verifying that I'm generating the keystore and signing jars correctly?