4

We have a Java application that uses RxTx to update the firmware of our game console. To avoid security alerts when the users starts the Java application on our website through WebStart we have bought a trusted certificate and signed the application with that. All checks indicate that it is successfully signed and if I launch the application via Safari on my Mac(OS X 10.6.8) with Java 1.6.0_41 it starts without any complains.

But if I launch it using IE9 on a Windows 8 machine I get an alert saying "Do you want to run this application? This application will run with unrestricted access which may put your computer and personal information at risk. Run this application only if you trust the publisher. This application's digital signature has expired. More Information".

If I click the More Information I get "This application will run with unrestricted access to your personal files and other facilities(webcam, microphone) on your computer.

Although the application has a digital signature, the application's associated file(JNLP) does not have one. A digital signature ensures that a file is from the vendor and that it has not been altered.

The digital signature was generated with a trusted certificate." I have tried to find a solution how to not get this message and think what I need to do is sign the JNLP file(i.e. copy it into the jar as pointed out here) but what I cannot find is how to get NetBeans to do that! I'm using NetBeans 6.9.1. Anyone know how to do this and if it is enough to sign the JNLP?

To verify that the file was correctly signed I did the following:

jarsigner -verify -certs -verbose OribooDesktopClient.jar 

    6396 Thu Feb 28 17:14:14 CET 2013 META-INF/MANIFEST.MF
    6354 Thu Feb 28 17:14:14 CET 2013 META-INF/MOVINTOF.SF
    1843 Thu Feb 28 17:14:14 CET 2013 META-INF/MOVINTOF.RSA
       0 Thu Feb 28 17:07:28 CET 2013 META-INF/
       0 Thu Feb 28 17:07:26 CET 2013 oribooDesktopClient/
       0 Thu Feb 28 17:07:26 CET 2013 oribooDesktopClient/resources/
       0 Thu Feb 28 17:07:26 CET 2013 oribooDesktopClient/resources/busyicons/
sm      3912 Thu Feb 28 17:07:26 CET 2013 oribooDesktopClient/BBDatabase.class

  X.509, CN=Movinto fun AB, O=Movinto fun AB, STREET=?rev?gen 138, L=?re, ST=J?mtland, OID.2.5.4.17=83013, C=SE
  [certificate is valid from 2/28/13 1:00 AM to 3/1/14 12:59 AM]

sm      2497 Thu Feb 28 17:07:26 CET 2013 oribooDesktopClient/Binary.class

  X.509, CN=Movinto fun AB, O=Movinto fun AB, STREET=?rev?gen 138, L=?re, ST=J?mtland, OID.2.5.4.17=83013, C=SE
  [certificate is valid from 2/28/13 1:00 AM to 3/1/14 12:59 AM]
....
Karl-Petter Åkesson
  • 381
  • 1
  • 3
  • 15
  • 2
    Is your certificate a "code signing" certificate, or just an SSL certificate? The latter will be treated as no more valid than a self-signed certificate, regardless of whether it was issued by a trusted certificate authority. The fact that you get a security dialog on some machines but not on others leads me to believe that you may have checked the "Always trust content from this publisher" checkbox in a security dialog in the past, on the non-Windows-8 machines. – VGR Mar 01 '13 at 13:07
  • I'm 100% sure I have never checked any "always trust" on any machines to make sure I always see the same thing as a first time visitor since the reason we bought a code signing certificate is to not get these popups. Yes and it is a Comodo code signing certificate. – Karl-Petter Åkesson Mar 01 '13 at 18:32
  • Signing the JNLP is an additional security measure. It is intended to guarantee that the application was launched from a .jnlp file which is identical to the .jnlp file bundled inside the signed jar, which guarantees that no other site can mirror the application. I don't think signing the JNLP file will resolve this problem. – VGR Mar 01 '13 at 19:57
  • So what do you think is causing this then? Or will I always get this kind of alert because we are asking for `all-permission` ? – Karl-Petter Åkesson Mar 02 '13 at 11:28

1 Answers1

4

The important part is:

This application's digital signature has expired.

See Appearance of Java Security dialog for details, but you should be expecting something like:

expired certificate

To remove the 'expired' message, the answer is to renew the certificate and sign the jars again. The dialog will still display words to the effect:

This application will run with unrestricted access which may put your computer and personal information at risk. Run this application only if you trust the publisher.

The differences will however be:

  • 'Always trust' will default to true.
  • The yellow diamond with exclamation mark will be changed to something more friendly.
  • The 'digital signature has expired' message, along with the yellow shield image in the lower left, will be absent.
Community
  • 1
  • 1
Andrew Thompson
  • 168,117
  • 40
  • 217
  • 433
  • No that is not correct, it is a valid certificate, which has not expired. Using jarsigner verifies it is valid for atleast a year: `jarsigner -verify -certs -verbose OribooDesktopClient.jar sm 3912 Thu Feb 28 17:07:26 CET 2013 oribooDesktopClient/BBDatabase.class X.509, CN=Movinto fun AB, O=Movinto fun AB, STREET=?rev?gen 138, L=?re, ST=J?mtland, OID.2.5.4.17=83013, C=SE [certificate is valid from 2/28/13 1:00 AM to 3/1/14 12:59 AM] ...` – Karl-Petter Åkesson Mar 01 '13 at 18:27
  • Edit that output back into the question. – Andrew Thompson Mar 02 '13 at 00:59
  • Have added it to the question. – Karl-Petter Åkesson Mar 02 '13 at 11:30
  • I just realised one thing, that I have a slightly faulty JNLP file. I'm not doing these tests on the live site which has an older signed version of the jar(though still valid certificate, ends 21 March). Forgot to change the URLs in the JNLP file to point to the test site so it loads the jar from live site so the actual output above is not from the jar it tries to launch. I'll take care of it when I'm back at the office on Tuesday. Thanks for all the input so far! – Karl-Petter Åkesson Mar 02 '13 at 11:46