This week's book giveaway is in the Mac OS forum.
We're giving away four copies of a choice of "Take Control of Upgrading to Yosemite" or "Take Control of Automating Your Mac" and have Joe Kissell on-line!
See this thread for details.
The moose likes JNLP and Web Start and the fly likes all-permissions and free signing Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


JavaRanch » Java Forums » Java » JNLP and Web Start
Bookmark "all-permissions and free signing" Watch "all-permissions and free signing" New topic
Author

all-permissions and free signing

D Rog
Ranch Hand

Joined: Feb 07, 2004
Posts: 472

I have an open source Java application which I want to give webstart. However it requires all-permissions, so I have to sign it. Since it's open source project not attached to any firm, I do not want to deal with any CA and purchase certificate. Is there any way to generate not trusted certificate and then use it for signing jars? Will web start accept such certificate with additional warning? I know it works fine for SSL, but what's about webstart?


Retire your iPod and start with HD Android music player Kamerton | Minimal J2EE container is here | Light weight full J2EE stack | and build tool | Co-author of "Windows programming in Turbo Pascal"
Jared Cope
Ranch Hand

Joined: Aug 18, 2004
Posts: 243
Originally posted by D Rog:
Since it's open source project not attached to any firm, I do not want to deal with any CA and purchase certificate. Is there any way to generate not trusted certificate and then use it for signing jars?


You are able to sign your jars without purchasing a certificate. If webstart does not recognise the certificate it will prompt the user to continue or cancel the loading and running of the application.

However, if you are trying to get the public to use your app, you have to ask yourself "will people download and trust my app if I don't even have a certificate they can check up on?"

cheers, Jared.


SCJP 1.4 91%, SCJP 1.5 88%, SCJD B&S
D Rog
Ranch Hand

Joined: Feb 07, 2004
Posts: 472

Can you refer me to some doc how to do that?
Regarding second, I do not care. It's free open source software, people are asking me for web start, so I do that. I do not encourage people to use this software, it's designed mostly for personal use.
Jared Cope
Ranch Hand

Joined: Aug 18, 2004
Posts: 243
Hi,

I'll do my best, though I must admit that a lot of this was setup before I worked on this project, so a lot was in place already.

I use an ant target in order to get my jar file signed. below is the ant target that in in our build.xml file (relevant parts obscured):



This ant target uses the JDK jarsigner tool to get the jar signed. You can use this tool straight up too (no need to ride on ant).

The other important bits are the keystore, keypass and storepass. Again, I don't know too much about these because they were setup before I arrived, but I am pretty sure that there is nothing official (involving CA's) about them.

Actually, this doc http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/jarsigner.html seems pretty good at describing everything. So I'll leave this with you to digest.

So after all this, when I make my jars available with webstart, the user is able to download them but they are prompted to 'accept the risk and trust the source of the signing' in order to actually start the app. In our business environment its not an issue, cause everyone knows that we maintain the app. Everyone just accepts.

Hope this has helped.

Cheers, Jared.
[ May 11, 2005: Message edited by: Jared Cope ]
Irene Fernandez
Greenhorn

Joined: Jan 26, 1999
Posts: 15
I found this article about using Web Start and signing jars : http://www.ldodds.com/blog/archives/000089.html
It has a link to a document by Richard Dallaway named "Java Web Start and Code Signing : http://www.dallaway.com/acad/webstart/
Read this, particularly the section on Certificates. He refers you to Thawte Freemail at http://www.thawte.com/email/ You can apply for a free personal email certificate.

Irene
D Rog
Ranch Hand

Joined: Feb 07, 2004
Posts: 472

Indeed, this article is really useful and helped me a lot. To say more, Verisign gives month personal certificate for free. However I decided to not go with any certificate, because web start shows an approval popup in any case.
 
It is sorta covered in the JavaRanch Style Guide.
 
subject: all-permissions and free signing