Signed Jars from Sun?

I also posted this topic in the "Security General" forum. Please write your answers there. Thank you!
Hello,
why are the jars provided by Sun for the different Java technologies not signed with a trusted certificate from Sun?
I have the requirement that my WebStart enabled application must run in privileged mode, but then all resources including for example the ejb.jar must be signed.
I know that I could easily run the jarsigner tool myself on the ejb.jar but this would probably evoke legal problems: My company can't claim authorship for a piece of software built by Sun.
My personal opinion is, that this makes the utilizability of WebStart for commercial products highly questionable.
sanostol

It dosnt make utilizability of WebStart for commercial products highly questionable - It's up to your company to ensure your code is signed with their own key, and to ensure nothing has been tampered with - if a user downloads something from your site that proceeds to wipe their disk or perform a denial of service attack on Microsoft for that matter that's your liability.
You have to understand that all the jars in a web start app currently have to be signed by the same key, furthermore each jar cannot be signed more than once. Were Sun to sign their jars we'd all be having to unpack to remove the signatures, re-jar the contents and sign with out own keys again - it's often a royal pain when third party jars come signed.
We can get around this by making these third-party jars a separate <part> each having its own jnlp file, but this is more work and if this part needs security settings the user will be prompted about wether they want to install every indivdual jar in your app - defiantly not desirable. Currently we have this with JavaHelp which frustratingly does come signed, and needs at least client-privs to allow users to print pages.
- Richard

Similar Messages

Where can I get Jaws.jar from Sun?

Where can I get Jaws.jar from Sun?
thank you.
while I use seach in download I do not find it.

// new class for jsObject!!!! since 1.4.2 compile this:
// javac -classpath "C:\Program Files\Java\j2re1.4.2_01\lib\plugin.jar" test.java
// since jaws.jar does not exsist anymore
// to compile with jaws: javac -classpath "C:\j2sdk1.4.0_03\jre\lib\jaws.jar" test.java
http://www.tek-tips.com/faqs.cfm?fid=5101

Signing Jars from within Java Code

Hi,
I would like to sign a jar file from within my Java code. Reason for this is that I wish to update a jar file at runtime, throw away the class loader that loaded the jar, and load the updated code inside a new classloader.
One problem, however: The jar file has to be signed before loading it. How can I do this from my Java program? Or do I need to have the jarsigner tool available at the location where I resign the jar?
Thanks in advance,
Ronald.

Hi,
In the meantime I found an answer to my problem. In rt.jar there exists a class sun.security.tools.JarSigner, which can be used for exactly this purpose. Not completely portable, but it'll do the trick.
Ronald.

Impossible to run an applet in a signed jar from APEX page

<applet id="runApp"
CODE="TestApplet"
ARCHIVE="/i/...path to applets dir.../applets/test.jar"
width=1 height=1>
</applet>
The class TestApplet is in the jar's root.
Java console shows:
java.lang.ClassNotFoundException: TestApplet
     at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at java.lang.ClassLoader.loadClass(Unknown Source)
     at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
     at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source)
     at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
     at java.lang.Thread.run(Unknown Source)
Caused by: java.io.IOException: open HTTP connection failed:http://kor:7777/i/...path to applets dir.../applets/test.jar/TestApplet.class
     at sun.plugin2.applet.Applet2ClassLoader.getBytes(Unknown Source)
     at sun.plugin2.applet.Applet2ClassLoader.access$000(Unknown Source)
     at sun.plugin2.applet.Applet2ClassLoader$1.run(Unknown Source)
     at java.security.AccessController.doPrivileged(Native Method)
     ... 7 more
The applet is not called by javascript => should not be blocked by Java plugin.
Igor
Edited by: kortchnoi on Nov 1, 2009 2:28 PM

Well... All of a sudden it began to work. Why - I don't know. Maybe, because I have restarted the browser. Or else.
Anyway, now I can launch *.exe (some legacy applications) from APEX on Firefox. Next step - IE that resists for the moment.
Igor

Navigating between applets from the same signed jar (trusted CA) gives err

See [http://www.chrisnewland.com/java-7-update-21-signedunsigned-error-switching-between-applets-in-the-same-signed-jar-trusted-ca-339] for my investigations so far.
Clicking a link to navigate between applets contained in the same signed jar (signed by a trusted CA) pops up an error dialog complaining about a signed/unsigned code mix.
Loading each applet in a fresh browser works fine.
If you click from applet 1 to applet 2 via a non-applet page then both applets run without problem.
[EDIT: This is behaviour is new to 7u21]
Edited by: Chris Newland on Apr 17, 2013 3:19 AM

I tried that (Adding Trusted-Library true) to the jars and even the 3rd party jars. I still get the pop up and this error:
Exception in thread "thread applet-com/travelers/prefillapplet/PrefillApp.class-1" java.lang.NoClassDefFoundError: org/apache/log4j/Logger
Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Logger
at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)

Creating JAR of an ejb from sun one studio 5.0

I�ve got the following error when I�m trying to generate the jar of and ejb from sun one studio 5.0. What�s the problem?
org/w3c/dom/Document.java [0:0] No file named org/w3c/dom/Document.java exists on disk in src.zip.
Therefore it may not be compiled with an external compiler.
You may need to check it out from version control or save some changes to it.
com/ssos/ejb/information/EJBModule_InformationEJB.ejbmodule [0:0] Problem compiling class: "org/w3c/dom/Document" reason: Compile failed
Called From: com/iplanet/services/util/XMLParser
Called From: com/iplanet/services/ldap/DSConfigMgr
Called From: com/iplanet/services/util/I18n
Called From: com/iplanet/sso/SSOTokenManager
Called From: com/iplanet/am/sdk/AMCommonUtils
Called From: com/iplanet/am/sdk/AMException
Called From: com/iplanet/dpro/session/service/SessionService
Called From: com/iplanet/services/naming/WebtopNaming
Called From: com/iplanet/dpro/session/SessionID
Called From: com/iplanet/dpro/session/Session
Called From: com/iplanet/am/util/Locale
Called From: com/iplanet/sso/SSOException
Called From: com/iplanet/sso/SSOToken
Called From: com/ssos/ejb/information/LocalInformationEJB
Errors compiling EJBModule_InformationEJB.

Hep, we have the same problem. I am still trying to figure out why. I have some idea about the reason but I am testing my founding. It seems to me that the problem shows up when I add my database driver in Runtime/Databases/drivers tree (IBM DB2 driver: db2jcc.jar)
Like I am saying I am still checking the connection. When I am convinced that indeed that is the problem, I will then try to find out why and what to do to make my life easier.
clogon

Is it possible to verify a signed jar-file from a program?

Is it possible to verify a signed jar-file from a program
(using some API) likewise jarsigner does?

Is it possible to verify a signed jar-file from a
program
(using some API) likewise jarsigner does?Hi,
You would have to open the jarfile, read each jar entry and for each of them do a getCertificates() and then in turn verify each certificate with the public key of the enclosed certificates in the jar file.
An easier solution would be to use the verify flag of the JarFile or JarInputStream.
Hope it helps..
Cheers,
Vijay

[svn:fx-trunk] 11488: Resubmitting binary distribution of xercesPatch. jar from the third party module in the SDK and compiled it with Sun JDK 1.4 .2_12.

Revision: 11488
Author:   [email protected]
Date:     2009-11-05 17:10:10 -0800 (Thu, 05 Nov 2009)
Log Message:
Resubmitting binary distribution of xercesPatch.jar from the third party module in the SDK and compiled it with Sun JDK 1.4.2_12.
QE notes: N/A
Doc notes: N/A
Bugs:
SDK-16818 - Must open-source the code for xercesPatch.jar.
Reviewer: Discussed with Gordon
Tests run: Checkintests
Is noteworthy for integration: No
Ticket Links:
    http://bugs.adobe.com/jira/browse/SDK-16818
Modified Paths:
    flex/sdk/trunk/lib/xercesPatch.jar
    flex/sdk/trunk/modules/thirdparty/xerces-patch/build.xml

Did you try this:
http://forum.java.sun.com/thread.jsp?thread=434718&forum=60&message=1964421

How to connect from Signed jar to normal jar

Hi Team,
I have one signed jar. This signed jar manifest file contains all the algorithams. I want to connect from
a class (which is available in a signed jar) to another class (which is available in another jar which is not signed.)
could you please explain how to add class-path in signed jar maifest file.
Thanks
T. Shankar Reddy

Hi,
Please use the CD to run setup on the second, third, ..... computer. In short, you have to run setup for each computer.
Regards.
BH
**Click the KUDOS thumb up on the left to say 'Thanks'**
Make it easier for other people to find solutions by marking a Reply 'Accept as Solution' if it solves your problem.

Can i call signed applet from jsf page in sun studio creator

Hello javites,
I want to know whether i can call signed applet from jsf page in sun studio creator. If possible, how do i go about it.
Thanks.

This tutorial may help:
http://developers.sun.com/prodtech/javatools/jscreator/reference/techart/2/applet.html?feed=DSC

CGLIB generation from signed classes(in signed jar) = SecurityException

Good Day!
I have the following problem:
My project uses a number of JARs signed with a jarsigner tool from JAVA distribution package including hibernate2.jar (the jar with all the hibernate stuff), spring.jar and cglib.jar (I think, exact names doesn't matter). All this jars are signed off course for security reasons.
Then, I have my project working with Hibernate, and it uses lazy-initialized ORM-classes, so Hibernate tries to generate a proxy via CGLIB for these classes. But during initialization of Hibernate SessionFactoryImpl I'm getting a java.lang.SecurityException:
java.lang.SecurityException: class "cern.spsea.hibernatebeans.BeamFileHibernateBean$$EnhancerByCGLIB$$773cc7e9"'s signer information does not match signer information of other classes in the same package
cern.spsea.hibernatebeans.BeamFileHibernateBean is one of my ORM-classes and all my classes are not signed because they are in development (they are not in jar, so they can not be signed).
I think it happens because signed code (from hibernate.jar and cglib.jar) tries to generate another signed code (cern.spsea.hibernatebeans.BeamFileHibernateBean$$EnhancerByCGLIB$$773cc7e9) but relate it to my unsigned package (cern.spsea.hibernatebeans).
So, I have a couple of questions:
1. Does signed code generates also signed code?
2. If so, what can I do for development? I really need to avoid this problem only at development, because at release my classes will be also in the signed jars. Can I force CGLIB to generate not signed classes? Is it some options in JVM start command to skip security checking? May be something else?
Any help is appreciated!
Thanks a lot in advance!
Roman

I've got the same problem, if someone could help us he'll be very helpful.
Regards,
Alx

Problem occuring when extending classes coming from 2 signed JAR

Hi everyone,
I have 2 signed jar called "base_signed.jar" and "extended_signed.jar" using keytool with a testing certificate generated at runtime. All goes well because with both signed JARs I can use the URLClassLoader without any java.security.AccessControlException exception.
But the first JAR contains abstract class B, the latter JAR contains a concrete class A.
The problem occurs when I try to instantiate some class A coming from "extended_signed.jar" using Class.forName("blablaclassA").newInstance() and occurs only if this class A extends some other abstract class B contained inside "base_signed.jar" .
Pratically if the class A is casted as its common JVM ancestor of B (JInternalFrame) all goes well, otherwise if I try to cast A using its direct ancestor B, I receive the following exception:
network: Connessione a http://www.orion.lan/~antares/it/weev/wipidea/plugins/MeteoradarArpavPlugin$7.class con proxy=DIRECT
Exception in thread "AWT-EventQueue-35" java.lang.ClassCastException: it.weev.wipidea.plugins.MeteoradarArpavPlugin cannot be cast to it.weev.wipidea.base.AWipideaPlugin
     at it.weev.wipidea.base.PluginLoader.loadNetworkPlugin(Unknown Source)
     at it.weev.wipidea.applet.WipideaApplet.loadPlugin(Unknown Source)
     at it.weev.wipidea.applet.WipideaApplet$1.actionPerformed(Unknown Source)
     at javax.swing.AbstractButton.fireActionPerformed(Unknown Source)
     at javax.swing.AbstractButton$Handler.actionPerformed(Unknown Source)
     at javax.swing.DefaultButtonModel.fireActionPerformed(Unknown Source)
     at javax.swing.DefaultButtonModel.setPressed(Unknown Source)
     at javax.swing.plaf.basic.BasicButtonListener.mouseReleased(Unknown Source)
     at java.awt.Component.processMouseEvent(Unknown Source)
     at javax.swing.JComponent.processMouseEvent(Unknown Source)
     at java.awt.Component.processEvent(Unknown Source)
     at java.awt.Container.processEvent(Unknown Source)
     at java.awt.Component.dispatchEventImpl(Unknown Source)
     at java.awt.Container.dispatchEventImpl(Unknown Source)
     at java.awt.Component.dispatchEvent(Unknown Source)
     at java.awt.LightweightDispatcher.retargetMouseEvent(Unknown Source)
     at java.awt.LightweightDispatcher.processMouseEvent(Unknown Source)
     at java.awt.LightweightDispatcher.dispatchEvent(Unknown Source)
     at java.awt.Container.dispatchEventImpl(Unknown Source)
     at java.awt.Component.dispatchEvent(Unknown Source)
     at java.awt.EventQueue.dispatchEvent(Unknown Source)
     at java.awt.EventDispatchThread.pumpOneEventForFilters(Unknown Source)
     at java.awt.EventDispatchThread.pumpEventsForFilter(Unknown Source)
     at java.awt.EventDispatchThread.pumpEventsForHierarchy(Unknown Source)
     at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
     at java.awt.EventDispatchThread.pumpEvents(Unknown Source)
     at java.awt.EventDispatchThread.run(Unknown Source)
network: Voce cache non trovata [url: http://www.orion.lan/~antares/it/weev/wipidea/base/PluginLoader.class, versione: null]
network: Connessione a http://www.orion.lan/~antares/it/weev/wipidea/base/PluginLoader.class con proxy=DIRECT
network: Voce cache non trovata [url: http://www.orion.lan/~antares/it/weev/wipidea/base/network-classpath.class, versione: null]
---The strange thing is that if I don't sign both JARs the class A is casted on B without any exception, could for security reason like hash or other? Ideally I need all JAR signed only because I plan to load classes from all over the net, but seems that URLClassLoader throws an AccessControlException when called.
Anyway just now I solve all using only the common JVM ancestor of A and B, but what could be the final solution?
Thanks, bye.

Hi Sean,
The file in question has been signed which causes issues in both OSB directly and in Eclipse when we do an import into that tool first.Can you let us know what issues you faced? Any errors? If yes, please post the same here.
Regards,
Anuj
Edited by: Anuj Dwivedi on Feb 23, 2011 9:10 PM

Loading images in a signed jar

Hi,
I am trying to run an application using signed jars.
One of the jars contains gif and jpeg files (icons).
When I sign icons.jar and try to run the code (from
the command line), I get the error listed below.
Any help would be greayly appreciated.
Thanks
Charles
An unexpected exception has been detected in native code outside the VM.
Unexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at PC=0x76136B9
Function=JNI_OnLoad+0x24D
Library=C:\j2sdk1.4.2_02\jre\bin\jpeg.dll
Current Java thread:
     at sun.awt.image.JPEGImageDecoder.readImage(Native Method)
     at sun.awt.image.JPEGImageDecoder.produceImage(JPEGImageDecoder.java:144)
     at sun.awt.image.InputStreamImageSource.doFetch(InputStreamImageSource.java:254)
     at sun.awt.image.ImageFetcher.fetchloop(ImageFetcher.java:172)
     at sun.awt.image.ImageFetcher.run(ImageFetcher.java:136)
Dynamic libraries:
0x00400000 - 0x00407000      C:\j2sdk1.4.2_02\bin\javaw.exe
0x77F50000 - 0x77FF6000      C:\WINDOWS\System32\ntdll.dll
0x77E60000 - 0x77F45000      C:\WINDOWS\system32\kernel32.dll
0x77DD0000 - 0x77E5B000      C:\WINDOWS\system32\ADVAPI32.dll
0x78000000 - 0x7806E000      C:\WINDOWS\system32\RPCRT4.dll
0x77D40000 - 0x77DC6000      C:\WINDOWS\system32\USER32.dll
0x77C70000 - 0x77CB0000      C:\WINDOWS\system32\GDI32.dll
0x77C10000 - 0x77C63000      C:\WINDOWS\system32\MSVCRT.dll
0x08000000 - 0x08138000      C:\j2sdk1.4.2_02\jre\bin\client\jvm.dll
0x76B40000 - 0x76B6C000      C:\WINDOWS\System32\WINMM.dll
0x10000000 - 0x10007000      C:\j2sdk1.4.2_02\jre\bin\hpi.dll
0x00820000 - 0x0082E000      C:\j2sdk1.4.2_02\jre\bin\verify.dll
0x00830000 - 0x00849000      C:\j2sdk1.4.2_02\jre\bin\java.dll
0x00850000 - 0x0085D000      C:\j2sdk1.4.2_02\jre\bin\zip.dll
0x03240000 - 0x0334F000      C:\j2sdk1.4.2_02\jre\bin\awt.dll
0x73000000 - 0x73023000      C:\WINDOWS\System32\WINSPOOL.DRV
0x76390000 - 0x763AA000      C:\WINDOWS\System32\IMM32.dll
0x771B0000 - 0x772C0000      C:\WINDOWS\system32\ole32.dll
0x5AD70000 - 0x5ADA4000      C:\WINDOWS\system32\uxtheme.dll
0x033C0000 - 0x03410000      C:\j2sdk1.4.2_02\jre\bin\fontmanager.dll
0x73760000 - 0x737A5000      C:\WINDOWS\System32\ddraw.dll
0x73BC0000 - 0x73BC6000      C:\WINDOWS\System32\DCIMAN32.dll
0x73940000 - 0x73A07000      C:\WINDOWS\System32\D3DIM700.DLL
0x07610000 - 0x0762E000      C:\j2sdk1.4.2_02\jre\bin\jpeg.dll
0x76C90000 - 0x76CB2000      C:\WINDOWS\system32\imagehlp.dll
0x6D510000 - 0x6D58C000      C:\WINDOWS\system32\DBGHELP.dll
0x77C00000 - 0x77C07000      C:\WINDOWS\system32\VERSION.dll
0x76BF0000 - 0x76BFB000      C:\WINDOWS\System32\PSAPI.DLL
Heap at VM Abort:
Heap
def new generation total 576K, used 571K [0x10010000, 0x100b0000, 0x104f0000)
eden space 512K, 99% used [0x10010000, 0x1008ecb8, 0x10090000)
from space 64K, 99% used [0x100a0000, 0x100afff8, 0x100b0000)
to space 64K, 0% used [0x10090000, 0x10090000, 0x100a0000)
tenured generation total 1784K, used 1163K [0x104f0000, 0x106ae000, 0x14010000)
the space 1784K, 65% used [0x104f0000, 0x10612c28, 0x10612e00, 0x106ae000)
compacting perm gen total 6912K, used 6759K [0x14010000, 0x146d0000, 0x18010000)
the space 6912K, 97% used [0x14010000, 0x146a9c48, 0x146a9e00, 0x146d0000)
Local Time = Sun Oct 26 16:26:58 2003
Elapsed Time = 10
# The exception above was detected in native code outside the VM
# Java VM: Java HotSpot(TM) Client VM (1.4.2_02-b03 mixed mode)
# An error report file has been saved as hs_err_pid3068.log.
# Please refer to the file for further information.
Corrupt JPEG data: bad Huffman code

http://developer.java.sun.com/developer/bugParade/bugs/4675817.html
You must try using WinZip & not compressing the jpeg's.

Peculiar issue with signed .jars and Linux (Debian unstable, 2.4.20-custom)

BACKGROUND:
I am a developer working on a Java3D application, which is to be deliverable over
the Web. Delivery as an applet seemed a natural choice, and so I spent a considerable amount of effort learning (I won't say "mastering") the process of
creating a self-signed .jar containing java3d-<some_version>.exe. I have in fact
successfully created a fully-fuctional from-scratch JPI/Java3D/myapp install. By
this I mean that Windows machine with only stock IE installed could hit my URL,
get the proper JPI installed, followed by the Java3D runtime I'd chosen, as well
as a third-party DXF loader, and finally (after much clicking of 'Yes', 'Accept',
'OK', etc.) see my app in a browser window.
That was on my old, slow, Windows2000 workstation. Now I have a shiny, new
workstation upon which my employer has graciously allowed me to run Linux. Sadly,
the re-creation of the self-signed .jar files under a new JDK has not gone smoothly.
PROBLEM DESCRIPTION:
When a user attempts to download the self-signed .jar containing the auto-install
executable for the Java3D runtime, the normal security warning prompts are displayed (one for granting to install the extension, one to accept the "suspect" certificate from me alone). The plugin happily downloads the .jar file, and then
a NullPointerException is thrown, with a
stack trace like:
NPE!
at java.util.zip.ZipFile.getInputStream (unknown source)
at java.util.jar.JarFile.getInputStream (unknown source)
<something>doPrivileged<something>
etc.
I apologize for the lack of a full stack trace; I would essentially have to type it in by hand after printing it out on the remote test box; I hope that I've caught the important details above.
After this, the pure-java signed .jar is downloaded and installed, and then the applet "loads" with the predictable ClassNotFoundException for javax.media.j3d.SceneGroup.
Downloading and installing the J3D runtime by hand and then re-visiting the URL results in a fully-functional applet.
I've tried Blackdown Linux JDKs 1.4 and 1.3.1, as well as Sun's JDKs 1.3.1_07 and 1.3.1_05 for the compiling, jar'ing, and jarsigner'ing of these files, all with the same result. At each new JDK, I re-did the HTML conversion so that he appropriate
JPI version was required on the client. I did complete uninstallations of all client JPI instances (including Web Start for 1.4.1_x, as well as cleaning the registry on the client).
When this strategy worked, it was on Sun JDK 1.3.1_05 for Windows runnning on Windows2000, unknown service pack.
DESIRED BEHAVIOR:
I would like my clients to be able to go from stock Windows2K/IE (this being an intranet without any other options) to some JPI version running the J3D extension, with only the need to click 'OK', 'Accept', 'Grant This Session', etc. a bunch of times on the part of the user. I want this to happen without my having to resurrect my decrepit old Compaq Deskpro just to play the role of "build host" for my
Java3D and loader .jar files, if at all possible.
FILES:
Here's what gets merged into the "main" applet's mainfest at creation time:
Manifest-Version: 1.0
Extension-List: java3d DxfLoader
java3d-Extension-Name: javax.media.j3d
java3d-Implementation-Vendor-Id: com.sun
java3d-Implementation-Version: 1.3
java3d-Specification-Title: Java 3D API Specification
java3d-Specification-Version: 1.3
java3d-Specification-Vendor: Sun Microsystems, Inc
java3d-Implementation-URL: http://10.1.1.1/heartcad/lib/java3d.jar
DxfLoader-Extension-Name: eupla.dxfloader
DxfLoader-Implementation-Title: Eupla DXFLoader
DXFLoader-Implementation-URL: http://10.1.1.1/heartcad/lib/DxfLoader.jar
And into the manifest for the J3D .jar:
Manifest-Version: 1.0
Implementation-Version: 1.3
Specification-Version: 1.3
Extension-Installation: "java3d-1_3-windows-i586-directx-rt.exe"
Extension-Name: javax.media.j3d
Implementation-Vendor-Id: com.sun
Implementation-Vendor: Sun Microsystems, Inc
Specification-Vendor: Sun Microsystems, Inc

I have seen that bug, and the problem I'm having seems to be different than it. The extension installer is in the first extension .jar my applet asks for, and it
never works automatically, regardless of how many times the applet is loaded.
The second .jar, which doesn't have to run any installer, always works fine, but the first one will never work (a manual install of the Java3D runtime is required). This seems to not be the behavior described in the bug.
I will continue to search for an answer to this problem, and of course if I should find anything I'll post it here.

JNLP: Signed jars but still not trusted

I have an applet that has signed jars that were signed by the same key, the applet shows the correct warnings on startup and works fine (allows access to the local file system, etc), however there still exists the 'yellow triangle warning' on one of two popups frames that the applet produces (but not the other one).
The applet does use native code (packaged in a signed jar and referenced in the JNLP). The jars are all signed by the same certificate from a CA. I originally didn't have the JNLP signed (by placing it in the main jar in JNLP-INF/APPLICATION.JNLP) but this didn't help. Also I didn't have the JNLP codebase set to a real URL (and really cant in production because its a solution we deploy to customers servers - its packaged software not hosted) but even after I tested with a codebase to a test server, it still didnt remove the famed yellow triangle. I have all-permissions set in the JNLP.
So two related questions:
1) Other than having not having signed jars (or not signed correctly), what other reasons cause the 'yellow triangle'?
2) The warning only appears on one of the popup Frames. What could be the possible reasons for that? Are there some privileges that show the icon whether the applet is signed or not?
Note: While changing the client policy setting (showWindowWithoutWarningBanner) works, this cant be a solution.
From the Java Console:
...It goes through all the jars (I only included one for brevity - there are 23 of them). Note it says 'have 1 common certificates'.. which I think indicates everything is signed by the same cert.
Is there any indication in the console logs I can use to determine why it is not trusted? It looks (to me) that everything is OK, until it says 'istrusted=false'.
security: Validating cached jar url=http://10.192.252.26/QMDesktop/native.jar ffile=C:\Documents and Settings\bunkowm\Application Data\Sun\Java\Deployment\cache\6.0\34\1df0b62-2c3ce377 com.sun.deploy.cache.CachedJarFile@d964af
cache: Reading Signers from 995 http://10.192.252.26/QMDesktop/native.jar | C:\Documents and Settings\bunkowm\Application Data\Sun\Java\Deployment\cache\6.0\34\1df0b62-2c3ce377.idx
security: Have 1 common certificates after processing http://10.192.252.26/QMDesktop/native.jar
security: Istrusted: null false
security: Loading certificates from Deployment session certificate store
security: Loaded certificates from Deployment session certificate store
security: Validate the certificate chain using CertPath API
security: Obtain certificate collection in Root CA certificate store
security: Obtain certificate collection in Root CA certificate store
security: Start to check whether root CA is replaced
security: The root CA hasnt been replaced
security: No timestamping info available
security: Found jurisdiction list file
security: No need to checking trusted extension for this certificate
security: The CRL support is disabled
security: The OCSP support is disabled
security: This OCSP End Entity validation is disabled
security: Checking if certificate is in Deployment denied certificate store
security: Checking if certificate is in Deployment permanent certificate store
security: Checking if certificate is in Deployment session certificate store
security: Mark trusted: null

Andrew - of course you were correct about the signed cert - I misspoke when the CA signed applet didn't show a warning. (You were also right that I must have checked 'always accept' the certificate on the server I had the CA signed cert on).
I think you guys are on to something about the privileged actions. It would explain where one popup has the icon and the other doesn't. We have Javascript making calls into the applet and we do use JNI (although I don't think there are any calls back). We do wrap these calls in privileged actions but maybe we missed something. What I've seen before is a security exception is thrown if we don't wrap them - but maybe there are areas where we don't and it doesn't throw an exception or it does and we eat it somehow (and for whatever reason doesn't cause anything noticeable).
Now that I know it could likely be the applet code and not necessarily a build issue with signing the jars, I have another place to look...
I'll check it out and let you know what I find.

Signed Jars from Sun?

Similar Messages

Maybe you are looking for