3

Is there any way to prevent the "The application's digital signature cannot be verified" warning message from appearing when you run a Java application from the command line?

I'm looking for a command line solution that would allow to start an application like this on a continuous integration server, so I need a solution that would not require manual intervention.

Also, I would prefer not to disable this warning for any application because this could be a security risk.

Not sure if helps but I do know the values of "name", "publisher" and "from" fields of the signature.

screenshot of java digital signature warning

Just be sure, I'm not asking about how to sign this application.

update 1

I suppose that the solution is to use keytool to import the certificate from the command line but for some reason it does fail to import it properly because it does not appear in control panel applet after this and the application still requires it.

keytool -importcert -file my.cer -alias alf2 -storepass changeme -noprompt

Is it something related to the the default keystore, how can I assure I'm importing into the right keystore?

update 2

After lot of research on the net I made some progress, worked at least on Windows 7 with Java 6: keytool -importcert -file my.cer -keystore "%USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs" -storepass "" -noprompt -v

I looks that Sun failed to specify in the documentation the real location of the default keystore and the fact that the default password is blank.

But this is not the end, because when this run on the automation user account it failed, it failed because this user did not had an keystore yet and because the command line tool keytool is not able to create a keystore with an empty password, requesting at least 6 characters. see Sun's forum tread...

sorin
  • 161,544
  • 178
  • 535
  • 806
  • After some digging I found that the certificates displayed in Java control panel are stored in `C:\Users\username\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs`. Now the question is how can I use the `keytool` to write to this `keystore` (the location could be different on other machines, this was on Windows 7). – sorin Sep 20 '10 at 15:11
  • With what command are you running this "application"? The term java application is generally used for java applications where you have a class with a main method, and they don't require the java sandbox to be active (since running stuff from the command-line implies that you trust the code). – Sami Koivu Sep 20 '10 at 15:41
  • The application is executed running `javaw` because it can run in two modes console or gui mode. – sorin Sep 20 '10 at 16:29

5 Answers5

2

trusted.certs file is user (profile) based. Using keytool it is also possible to add trusted root CA to "cacert" file, where are default trusted CA for java stored. cacert file location on XP (depends on Java version): C:\Program Files\Java\jre6\lib\security

More details here:

default password is: changeit

PTT
  • 21
  • 2
1

There are two approaches:

  • Get the supplier of the software to reissue it with a proper signature. The "More Information" link should tell you why the signature cannot be verified, but the most likely causes are that the signature was created using a self-signed CA certificate, or a certificate that has since expired. (If the supplier won't help, you may be able to resign the JAR file with your own certificate.)

  • Add the relevant signing certificate to the JVM's certificate store as a "trusted certificate". Unfortunately, you'll need to do this for every JVM on every machine that needs to run the application.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • So, in this case how can I **automate** certificate import? – sorin Sep 20 '10 at 11:24
  • 1
    You could write a shell script / batch file that uses `keytool` to import the certificate(s). See http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html – Stephen C Sep 20 '10 at 11:44
0

It would be a serious compromise on user security/privacy if unsigned applications are allowed to run without user's consent.

The answer is 'NO', unless you get your app signed or the user manually adds the publisher to the 'trusted' lists.

More here

Johnbabu Koppolu
  • 3,212
  • 2
  • 22
  • 34
  • @Sorin - just curious what you didn't like about this answer. – Bert F Sep 20 '10 at 12:45
  • @Sorin- are you looking for answers OR 'reputed' answers? – Johnbabu Koppolu Sep 20 '10 at 13:34
  • 1
    As you probably noticed this about doing something without user intervention / automation. This is critical on machines that are supposed to run unattended. – sorin Sep 20 '10 at 14:19
  • 1
    It's a valid question and not always a security risk. In a corporate environment you want to install things on user computers and make them just work. – Sarel Botha Jul 24 '14 at 18:19
0

Don't know whether it is still actually Windows XP keytool asks for password if cert store actally not exist, so you should create manually or copy store from somewhere before importing certificates. User store was without password.

Giors
  • 1
-1

I think you should create file for example mypolicy.policy in java.home/lib/security with grant all permisions to code signed by you and add this file to java.security (ex. under line where is java.policy path) this warning window will never prompt again

Niekam
  • 65
  • 1
  • 6