0

I develop an Java Applet that needs to break out of the sandbox so it is signed by a certificate from a trusted CA (Thwate). This has worked well on OS X, Windows and Linux. Now with OS X 10.8 (Mountain Lion) I have this issue: OS X 10.8 Gatekeeper and Java applets

It seams like OS X 10.8 require a signed applet to be signed with an Apple Developer ID Certificate.

My question is: If I change so that the applet is signed by a Apple Developer ID Certificate will this also work on windows/linux etc? If not, how can I have a signed applet which signature validates fine on all major OS? Can I sign the applet with two certificates?

Community
  • 1
  • 1
Robert Sjödahl
  • 734
  • 5
  • 19
  • 1
    For what specific reasons does the applet require extended trust? – Andrew Thompson Aug 23 '12 at 09:43
  • Write access to file system and connect to other hosts than the one where it is deployed. – Robert Sjödahl Aug 23 '12 at 10:43
  • There might be a way around signing the applet. For the File access, use the [JNLP API file services](http://pscode.org/jws/api.html#fs). Cross-domain access is more tricky. But with the plug-in2 architecture, Sun offered access via the [cross-domain XML](http://www.oracle.com/technetwork/java/javase/plugin2-142482.html#CROSSDOMAINXML). That requires co-operation from the target site. Failing that, you might look to offer a proxy on the originating ('home') server. – Andrew Thompson Aug 23 '12 at 10:53
  • So there is no way to sign an applet anymore so that it works on all platforms? Cross-platform applets are broken? I mean: I'm not looking for a way around signing the applet. I'm looking for a way to sign an applet that works for all platforms. – Robert Sjödahl Aug 23 '12 at 10:55
  • I don't know. I don't have a Mac or the ability to test the solution suggested on the other thread. What happened when ***you*** tried it? – Andrew Thompson Aug 23 '12 at 10:57
  • Yeah, I'm trying. I exported the "Developer ID Application" Certificate to a .p12 (pkcs12) certificate (which is what we normally use to sign the application with). Signed it with that certificate. It had then already been signed with one certificate from thwate. It still works on windows but is now totally broken on osx. Just shows an white rectangle with the text: "Error. Click for details". The details is a stacktrace that basically says that the main class couldn't be found. – Robert Sjödahl Aug 23 '12 at 12:10
  • This is not a direct answer to your question, I also am not yet convinced it is not possible to sign the applet for both, but a kind of 'workaround' is available. Have a sand-boxed applet that determines OS X or 'other'. If OS X, load the applet signed with the Mac. certificate, else load the standard applet. As to how to load the applet, one way is to redirect from the first applet page, another is to invoke JS to actively load the correct applet. Just a point that does not seem to have come up yet. Applets were never as 'OS/browser/JRE compatible' as Sun hoped. Many problems come up. – Andrew Thompson Aug 23 '12 at 12:36

1 Answers1

0

The answer to this question has now been posted in the linked question above: OS X 10.8 Gatekeeper and Java applets

Basically it can't be solved. I have tried to export the Developer ID Application certificate to a .p12 certificate and tried to sign the applet with that in addition to the certificate from Thwate since it is allowed to sign a jar/applet with more than one identity. The applet gets signed but jarsigner can't verify the signature.

So the ways to get rid of this bad warning message is that the user of the signed Applet does one of the following:

  1. Changes his GateKeeper settings to allow applications "from anywhere".
  2. Upgrades to Java 7 which is developed by Oracle and works as Java has done previously on OS X, i.e. a certificate from Thwate is enough.
  3. Adds the Thwate certificate to his keychain.
Community
  • 1
  • 1
Robert Sjödahl
  • 734
  • 5
  • 19