I am new to JAVA development; I have a console library application which I need to share to customers. In that case on browsing found that from JAVA8 , medium security level has been removed from JAVA control panel. Only high and very high levels are available. So, web-based application needs their application to be digitally signed (https://www.java.com/en/download/help/jcp_security.xml). In that context, do I really need my JAR to be signed? What consequences may occur if it is unsigned?
Asked
Active
Viewed 38 times
0
-
2Signed jars were for applets. Applets are **dead**. Nothing (afaik) verifies signed jars (anymore). Your console library application is not an applet. Applets extend [`Applet`](https://docs.oracle.com/javase/7/docs/api/java/applet/Applet.html) (and don't write a new applet). – Elliott Frisch Feb 26 '20 at 14:01
-
This question doesn't make a lot of sense. What is a "console library application"? Is it a library or an application or ... something else? And why are you trying to use a console application in the context of the web? (Or asking about it in the context of the web?) – Stephen C Feb 26 '20 at 14:57
-
@ElliottFrisch: WS/JNLP also checks signed code in at least some cases, and the roadmap claims it will be supported in Oracle j8 (with Extended Support) until 2030. (Although based on Oracle's record I wouldn't bet the farm.) – dave_thompson_085 Feb 26 '20 at 15:04
-
@dave_thompson_085 Interesting info on webstart. Have you encountered a WS application in the wild? – Elliott Frisch Feb 26 '20 at 15:12
-
@ElliottFrisch There are still Web Start applications out there, but Web Start has been removed from modern Java and is (more or less) deprecated in the same way applets are. A signed jar is indeed important for Web Start applications, but it requires a code signing certificate, which are rare and usually a lot more expensive than a simple SSL/TLS certificate, which has made jar signing all the rarer. – VGR Feb 26 '20 at 15:42