We (organization) wants to publish an java web start application through JNLP. executing JAR needs full permission so I have mentioned <all-permissions/> in .jnlp file but if you mention <all-permissions/> then JAR must be signed.
I have some doubts and confusion about code signing certificate and jar signing method so need some clarity on my assumption:
1. Can we use website (SSL) certificate to sign a jar?
My assumption : As code signing certificate is offered by certificate partners separately so there may be some difference, so we cannot use it but if we look into this Java Sign jars with server certificate then answer is saying exactly opposite. So can we really use website certificate to sign a JAR.
2. Can we use active directory generated code signing certificate?
My assumption : We can generate certificates on active directory server. So if we generate an certificate on AD server then also it will be taken as self signed certificate because root is not trusted by java.
3. All dependency jars need to be signed?
According to How do I fix "missing Codebase, Permissions, and Application-Name manifest attribute" in my JNLP app? we need to sign each and every jar by adding necessary info in manifest file. Is it really needed? because currently I am building jar with dependency using maven-assembly-plugin and executing goal in netbeans as clean compile assembly:single which makes a single jar by taking .class files of all dependency (no dependency jars is included in jar)
