JAR signing

Similar Messages

• Applets, Policy Files, jar signing, JNI, etc

  Hi,
  I need an Applet to be able to connect to sockets and use some JNI. Hence, as far as I can tell, I need to use a Policy File. In a standalone application, I have written my policy file tried it out by switching on the security manager. However I am not sure how I do this with an applet.
  I have read many examples of Jar signing, yet every example uses appletviewer and the -J-Djava.security.policy to show the security policy in action.
  However I want this to work through a normal browser, so how do I achieve this?
  Do I specify a URL to the java.security.file in the embed/object/applet tags in the HTML?
  Do I put the policy file in the jar and reference it via the Manifest?
  Any ideas much appreciated,
  John B

  The standard AccessControlException:
  java.security.AccessControlException: access denied (java.lang.RuntimePermission getClassLoader)
  at java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
  at java.security.AccessController.checkPermission(AccessController.java:401)
  at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
  at java.lang.ClassLoader.getParent(ClassLoader.java:701)
  Or something like that.
  That's what I'm trying to solve, I wish to use the Java Security Policy system to allow my applet access to various resources, such as writing files. Now I've seen that signing an applet will give it full access (in my view, this is rather insecure, but anyway), however following the steps to sign an applet two or three times has still presented me with the same problem. The signing is ignored, and the exception is thrown.
  Applet signing aside, I fail to see any documentation stating how the policy file is used by the VM when running on a browser. I assumed it might be an entry in the Jar's manifest file, but again, I can find no documentation.
  It's all very annoying, and Sun have done quite a bad job at documenting this. For example, their example talkes about -D-Jjava.security.policy=.... being passed to appletviewer. Who on earth uses appletviewer! If policies only work with that, then they are useless. I want them to work with whatever browser the applet is being run within.
  Surely this isn't too much to ask? :)

• Need some advices on jar signing

  Hi, our's company project will have an app server and some desktop apps.
  App server - tomcat, desktop - are just some application.jar.
  The question is how server may know if the data is from our application.jar or from any thirdparties? May jar signing solve this or there is another way.
  P.S. There will be no Java Web Start
  Thanks in advance.

  1) If you can mount those disks on your database server then YES you can store the RMAN backups of those. You must NFS Mount the disks on your DB server so that RMAN can see them put the bakcups on them. Or you can directly write to the tapes.
  2) No, Flash recovery area is only one parameter pointing to one mounted space and you can't spread it over multiple volumes. What is the size of your database?
  Daljit Singh

• JApplet jar signing

  Hi,
  My requirement is to bring a set of files from the server to the client thru JApplet..
  (Japplet,jdk1.3,weblogic,jre1.3) is the environment.
  I know that the jar file has to signed etc.. but is there any way by which i can accomplish this
  without jar signing..
  If it is not possible, is there any way to test the jar signing (any trial version etc).I just want to
  test it before buying the Verisign etc..
  Could any one help me on this...
  Thanks

  Can we customize sign_webutil.bat to do this?Yes, you can. Only be careful to webutil password

• PJC jar sign

  hi,
  i want to use some jar file as :
  http://forms.pjc.bean.over-blog.com/article-1830062.html
  but need to sign and i don't know how to sign .
  plz help for sign .

  Thanks for the response. I looked over getting JAR signing to work, but this applet is being hosted on the local machine and that process required an online URL. Knowing that my command line argument was wrong helped a lot though, I eventually loaded up the policytool program and got the syntax I needed for the policy file.
  grant codeBase "file:/C:/WINDOWS/java/classes/Client_2.0/classes/Client/*" {
  permission java.security.AllPermission;
  };

• Jars signed with revoked certificate

  Hello,
  I have a situation here where i have jars and wars which were signed using jarsigner. The certificate used to sign the jars is now revoked.
  When java runtime loads these jars, it does not throw any errors/exceptions. Is it the right behavior ?
  Is there any way by which I can configure java runtime to contact the CRL and to throw an error while the jar is loaded. The certificate has information
  about CRL distribution point and also has authorityinfo access details. I tried configuring OCSP in java.security file. But still no luck.
  Any information on this will be helpful.
  Thanks in advance

  Hello EJP,
  Thanks for replying.
  Yes the certificate was valid when the jar was signed. Please note that, there was no timestamp put in the signature.
  So now after the certificate has been revoked, if Java runtime tries to load that jar, isn't it the responsibility of Java runtime to make use of the CRL/OCSP information
  of the public key certificate (present in the jar put by the jarsigner when signing) and validate it for revocation ? (Also, in this scenario, what happens if OCSP is enabled in java.security ?) -OR--- Is it the responsibility of the code that makes use of the jar, to verify whether the certificate used for jar signing has been revoked or not ?
  PS:- I have enabled the security settings in java control panel for certificate revocation checking.
  Please let me know if I am wrong or if I am missing something.
  Also i noticed something with jarsigner. In a signed jar, If i delete a few files and then verify its signature using jarsigner, "jar verified" is returned as result. Isn't the jar tampered when I delete a few files from it ? and hence the Hash of its data changes ? and hence verification should fail ?
  One more question, in case of signed applets, if the certificate is revoked, as soon as the browser tries loading the applet, it throws an error saying certificate that was used for signing has been revoked. (provided browser settings and java control panel settings are all properly set). Is this check initiated by the browser OR Java runtime ?
  Thanks a lot

• WebUtil Jar signing error

  Can anyone help me with this error:
  keytool error: java.lang.Exception: Key pair not generated, alias <####> already exists

  Check whether there is a file named ".keystore". If yes, delete this file and again try to sign the jar file.
  Hope it helps u...

• Jar signing 101

  Hello,
  I am now trying to sign my jars so that they get past WebStart security qualifications.
  I already have a .spc certificate from VeriSign.
  What do I do with it/how do I use it?
  How do I sign my jars?
  thanks in advance,
  -ss

  Once you have the certificate from Verisign you need to put it into a keystore using the following command:
  keystore -import -alias <your alias> -file <your file from verisign>
  You may also have to specify the keystore using "-keystore <keystore>" unless you're using the default.
  Now that you have the cert in a keystore, you can use jarsigner to sign a jar file.
  jarsigner <jar file> <your alias>
  The <your alias> should be the same for both commands. The jarsigner also has an option for specifying a keystore, "-keystore <keystore>", which is only needed if you're not using the default.
  Hope that helps. You should also take a look at the tools documentation for your jvm:
  http://java.sun.com/j2se/1.3/docs/tooldocs/tools.html
  -Rob

• Jar signing problem? (continue with HOST PJC)

  <1> I've sign jar-file on Oracle9iAS server.
  <2> First form (with bean from that jar-file) loading asked me for "Granting", and after it runs without problem, bean is worked prefectly.
  <3> Second form loading shows me nothing, just explorer hanging.
  I've check JInitiator (1.3.1.9) Control Panel, Certificates tab... there is now any records. Maybe there is problem.
  (I also have(installed) Sun JSDK 1.4.1_01)
  Java Console also doesn't show any errors.
  Again form with bean doesn't loading at the second time.
  What is the problem ?
  Thank You

  Have you read the paper on Signing JAR files for JInitiator 1.3 - it details some changes that you'd be advised to make to your HTML template and the HOST bean code to get around this problem..

• Jar signing returns "jar is unsigned"

  Hi all, i am been trying to sign a jar, because i nedd an applet to access and update a database.
  What i've done was:
  keytool -genkey -alias MYALIAS -keypass mypass -keystore MYKEYSTORE -storepass mykeystorepass
  and then
  jarsigner -keystore MYKEYSTORE -storepass mykeystorepass -keypass mypass -signedjar SGID.jar GID.jar MYALIAS
  The result of >jarsigner -verify SGID.jar
  is
  jar is unsigned. (signatures missing or not parsable)
  Why is this returning that the jar is unsigned? I think 've created this correctly, if you can find any error or probable cause, please tell me.
  Thanks.
  Edited by: nfteodoro on Nov 27, 2009 3:01 AM
  Edited by: nfteodoro on Nov 27, 2009 3:03 AM

  I just tried again, here my result, so you can see if something is wrong or missing:
  1 - C:\Sun\SDK\jdk\bin>keytool -genkey -v -keyalg dsa -alias MYALIAS -keypass mypass -keystore MYKEYSTORE -storepass mykeystorepass
  What is your first and last name?
  [Unknown]: MYNAME
  What is the name of your organizational unit?
  [Unknown]: SCCM
  What is the name of your organization?
  [Unknown]: MYCOMPANY
  What is the name of your City or Locality?
  [Unknown]: LISBON
  What is the name of your State or Province?
  [Unknown]: LISBON
  What is the two-letter country code for this unit?
  [Unknown]: LX
  Is CN=NOESIS, OU=SCCM, O=NOESIS, L=LISBON, ST=LISBON, C=LX correct?
  [no]: YES
  Generating 1.024 bit DSA key pair and self-signed certificate (SHA1withDSA) with
  a validity of 90 days
  for: CN=NOESIS, OU=SCCM, O=NOESIS, L=LISBON, ST=LISBON, C=LX
  [Storing MYKEYSTORE]
  2 - C:\Sun\SDK\jdk\bin>jarsigner -keystore MYKEYSTORE -storepass mykeystorepass -key pass mypass GID.jar MYALIAS
  Warning:
  The signer certificate will expire within six months.
  3 - C:\Sun\SDK\jdk\bin>jarsigner -verify GID.jar
  jar is unsigned. (signatures missing or not parsable)
  So, as you can see, this really is not working for me :s
  I've tried different approaches, an none worked, why can't i sign a .jar file??..this is really weird, i thought creating an applet to access and manipulate a database wouldn't be so dificult..
  I guess i was wrong..

• Jar Signing // Missing Digest entries

  I have a signed jar's manifest file which does not contain all of the classes ( digest entries) archived in the jar. Shouldn't this be one to one -jar classes to digest entries? Is there a reason why some classes are omitted, whereby others are included? I receive a NoClassDefFoundError when the applet loads when attempting to run a static method from a class which does not have a digest entry. The class throwing the exception is in the same jar as the applet, yet in a different package. Version: 1.6.0_15.
  Edited by: rapunzel on Feb 20, 2010 4:46 AM

  I just tried again, here my result, so you can see if something is wrong or missing:
  1 - C:\Sun\SDK\jdk\bin>keytool -genkey -v -keyalg dsa -alias MYALIAS -keypass mypass -keystore MYKEYSTORE -storepass mykeystorepass
  What is your first and last name?
  [Unknown]: MYNAME
  What is the name of your organizational unit?
  [Unknown]: SCCM
  What is the name of your organization?
  [Unknown]: MYCOMPANY
  What is the name of your City or Locality?
  [Unknown]: LISBON
  What is the name of your State or Province?
  [Unknown]: LISBON
  What is the two-letter country code for this unit?
  [Unknown]: LX
  Is CN=NOESIS, OU=SCCM, O=NOESIS, L=LISBON, ST=LISBON, C=LX correct?
  [no]: YES
  Generating 1.024 bit DSA key pair and self-signed certificate (SHA1withDSA) with
  a validity of 90 days
  for: CN=NOESIS, OU=SCCM, O=NOESIS, L=LISBON, ST=LISBON, C=LX
  [Storing MYKEYSTORE]
  2 - C:\Sun\SDK\jdk\bin>jarsigner -keystore MYKEYSTORE -storepass mykeystorepass -key pass mypass GID.jar MYALIAS
  Warning:
  The signer certificate will expire within six months.
  3 - C:\Sun\SDK\jdk\bin>jarsigner -verify GID.jar
  jar is unsigned. (signatures missing or not parsable)
  So, as you can see, this really is not working for me :s
  I've tried different approaches, an none worked, why can't i sign a .jar file??..this is really weird, i thought creating an applet to access and manipulate a database wouldn't be so dificult..
  I guess i was wrong..

• WebUtil Solaris jar signing

  Is there a document out there explains signing the webutil jar files on Unix?
  Sandy

  Sandra,
  there steps are the same, except for that the batch file that is shipped with webutil need to be translated into a shwll script. Because the signing happens with the Java jarsigner utility, the commands are the same. You can also sign webutil.jar on Windows and tehn copy the jar files to Unix.
  Frank

• Why isn't jnlp.jar signed by Sun?

  The jnlp.jar in the developer pack is not signed with Sun's certificate. Why is that? An omission or intentional?
  If I'm delivering my app signed with my Verisign cert, I have to now deliver jnlp.jar also signed with my cert, right?
  Thx,
  Max

  The jnlp.jar is part of Java Web Start, so no - you don't have to sign and supply it, the JWS install takes care of it for you.
  Cheers,
  Gavin

• Error with JAR Signing

  Folk'ses,
  I have just done my first JNLP stuff, and I am experiencing a very strange problem:
  my application launch works just fine but only every 2nd time!
  I alternatingly get the following error: {color:#ff0000}Unable to launch the application.{color}
  {noformat}And the details state: {color:#ff0000}JAR resources in JNLP file are not signed by same certificate{color}{noformat}
  I perform the exact same operation again without changing anything in between, and hey presto, my application is launched.
  Following is my JNLP file:
  <?xml version="1.0" encoding="utf-8"?>
  <!-- JNLP File for Session Client -->
  <jnlp spec="1.0+" codebase="http://oneclickserver9/CONTINUITY" href="/CONTINUITY
  /licensing.jnlp">
    <information>
      <title>CONTINUITY Licensing</title>
      <vendor>ICS GmbH</vendor>
      <homepage href="index.jsp"/>
      <description>CONTINUITY License View</description>
      <description kind="short">CONTINUITY</description>
      <icon href="continuity.log.gif"/>
    </information>
    <security>
      <all-permissions/>
    </security>
    <resources>
      <property name="sun.awt.noerasebackground" value="true"/>
      <j2se version="1.6.0_07" href="http://java.sun.com/products/autodl/j2se"
            initial-heap-size="64m" max-heap-size="256m" java-vm-args="-Duser.name
  =kloeber"/>
      <jar href="lib/IcsLicenseView.jar" main="true"/>
      <jar href="lib/global90.jar" download="lazy"/>
      <jar href="lib/ssorb90.jar" download="lazy"/>
      <jar href="lib/ssorbutil90.jar" download="lazy"/>
      <jar href="lib/utilapp90.jar" download="lazy"/>
      <jar href="lib/util90.jar" download="lazy"/>
      <jar href="lib/utilsrv90.jar" download="lazy"/>
      <jar href="lib/utilnet90.jar" download="lazy"/>
      <jar href="lib/vbhelper90.jar" download="lazy"/>
      <jar href="lib/vbjorb.jar" download="lazy"/>
      <jar href="lib/lm.jar" download="lazy"/>
      <jar href="lib/jsafeJCEFIPS.jar" download="lazy"/>
    </resources>
    <a... [Show more]

  BS,
  thanx for your reply:
  You might want to check how the referenced resources/JARs are signed on the serverI do the signing "manually" in a for loop over all jar files:
  for f in *.jar; do echo $f; jarsigner -keystore G:/Keystore/continuityKeystore -storepass XXXX -keypass +YYYYY+ $f +ZZZZ+; done
  are they getting generated/signed dynamically every time you access the JNLP?no, see above
  Could it be possible that different requests be served by different web servers (may be in a cluster)?no, I only have one tomcat server running

• Understanding JAR signing

  The following link says that the public key that corresponds to the private key used to sign the JAR is placed in the JAR, along with its certificate.
  http://java.sun.com/docs/books/tutorial/deployment/jar/intro.html
  I have a couple of questions: are both the public key and certificate in the DSA file? (The document makes it seem like the public key and its certificate are separate - but doesn't the certificate contain the public key its certifying?)
  Are the only 2 ways the public certificate trusted is if the public certificate is imported into the "cacerts" file or into another keystore specified in the jarsigner -verify command? (In the cacerts case you could just omit options relating to the keystore?)
  Why are the SHA1-Digest values different in MANIFEST.MF and the SF file for a given file within the JAR?
  What's the difference between the SHA1-Digest-Manifest and SHA1-Digest-Manifest-Main-Attributes values in the SF files?
  Thanks.

  I know some answers:
  1. Yes, public key is inside the certificate, in DSA file
  2. AFAIK, if the certificate is signed by someone in the cacerts file, it's OK
  3. In MANIFEST.MF, hash value is for file content. In SF file, hash value is for the section in MANIFEST.MF
  4. SHA1-Digest-Manifest-Main-Attributes is the hash value for the header part of MANIFEST.MF
  You can find out all the details by reading the source codes in OpenJDK.
  BTW, Are you going to write a jarsigner yourself?