all-permissions and free signing

I have an open source Java application which I want to give webstart. However it requires all-permissions, so I have to sign it. Since it's open source project not attached to any firm, I do not want to deal with any CA and purchase certificate. Is there any way to generate not trusted certificate and then use it for signing jars? Will web start accept such certificate with additional warning? I know it works fine for SSL, but what's about webstart?

Originally posted by D Rog:
Since it's open source project not attached to any firm, I do not want to deal with any CA and purchase certificate. Is there any way to generate not trusted certificate and then use it for signing jars?

You are able to sign your jars without purchasing a certificate. If webstart does not recognise the certificate it will prompt the user to continue or cancel the loading and running of the application.

However, if you are trying to get the public to use your app, you have to ask yourself "will people download and trust my app if I don't even have a certificate they can check up on?"

cheers, Jared.

Can you refer me to some doc how to do that?
Regarding second, I do not care. It's free open source software, people are asking me for web start, so I do that. I do not encourage people to use this software, it's designed mostly for personal use.

Hi,

I'll do my best, though I must admit that a lot of this was setup before I worked on this project, so a lot was in place already.

I use an ant target in order to get my jar file signed. below is the ant target that in in our build.xml file (relevant parts obscured):

This ant target uses the JDK jarsigner tool to get the jar signed. You can use this tool straight up too (no need to ride on ant).

The other important bits are the keystore, keypass and storepass. Again, I don't know too much about these because they were setup before I arrived, but I am pretty sure that there is nothing official (involving CA's) about them.

Actually, this doc http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/jarsigner.html seems pretty good at describing everything. So I'll leave this with you to digest.

So after all this, when I make my jars available with webstart, the user is able to download them but they are prompted to 'accept the risk and trust the source of the signing' in order to actually start the app. In our business environment its not an issue, cause everyone knows that we maintain the app. Everyone just accepts.

Hope this has helped.

Cheers, Jared.
[ May 11, 2005: Message edited by: Jared Cope ]

I found this article about using Web Start and signing jars : http://www.ldodds.com/blog/archives/000089.html
It has a link to a document by Richard Dallaway named "Java Web Start and Code Signing : http://www.dallaway.com/acad/webstart/
Read this, particularly the section on Certificates. He refers you to Thawte Freemail at http://www.thawte.com/email/ You can apply for a free personal email certificate.

Irene

Indeed, this article is really useful and helped me a lot. To say more, Verisign gives month personal certificate for free. However I decided to not go with any certificate, because web start shows an approval popup in any case.