• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

all-permissions and free signing

 
Ranch Hand
Posts: 472
Objective C Ubuntu Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have an open source Java application which I want to give webstart. However it requires all-permissions, so I have to sign it. Since it's open source project not attached to any firm, I do not want to deal with any CA and purchase certificate. Is there any way to generate not trusted certificate and then use it for signing jars? Will web start accept such certificate with additional warning? I know it works fine for SSL, but what's about webstart?
 
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by D Rog:
Since it's open source project not attached to any firm, I do not want to deal with any CA and purchase certificate. Is there any way to generate not trusted certificate and then use it for signing jars?



You are able to sign your jars without purchasing a certificate. If webstart does not recognise the certificate it will prompt the user to continue or cancel the loading and running of the application.

However, if you are trying to get the public to use your app, you have to ask yourself "will people download and trust my app if I don't even have a certificate they can check up on?"

cheers, Jared.
 
D Rog
Ranch Hand
Posts: 472
Objective C Ubuntu Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can you refer me to some doc how to do that?
Regarding second, I do not care. It's free open source software, people are asking me for web start, so I do that. I do not encourage people to use this software, it's designed mostly for personal use.
 
Jared Cope
Ranch Hand
Posts: 243
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,

I'll do my best, though I must admit that a lot of this was setup before I worked on this project, so a lot was in place already.

I use an ant target in order to get my jar file signed. below is the ant target that in in our build.xml file (relevant parts obscured):



This ant target uses the JDK jarsigner tool to get the jar signed. You can use this tool straight up too (no need to ride on ant).

The other important bits are the keystore, keypass and storepass. Again, I don't know too much about these because they were setup before I arrived, but I am pretty sure that there is nothing official (involving CA's) about them.

Actually, this doc http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/jarsigner.html seems pretty good at describing everything. So I'll leave this with you to digest.

So after all this, when I make my jars available with webstart, the user is able to download them but they are prompted to 'accept the risk and trust the source of the signing' in order to actually start the app. In our business environment its not an issue, cause everyone knows that we maintain the app. Everyone just accepts.

Hope this has helped.

Cheers, Jared.
[ May 11, 2005: Message edited by: Jared Cope ]
 
Greenhorn
Posts: 15
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I found this article about using Web Start and signing jars : http://www.ldodds.com/blog/archives/000089.html
It has a link to a document by Richard Dallaway named "Java Web Start and Code Signing : http://www.dallaway.com/acad/webstart/
Read this, particularly the section on Certificates. He refers you to Thawte Freemail at http://www.thawte.com/email/ You can apply for a free personal email certificate.

Irene
 
D Rog
Ranch Hand
Posts: 472
Objective C Ubuntu Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Indeed, this article is really useful and helped me a lot. To say more, Verisign gives month personal certificate for free. However I decided to not go with any certificate, because web start shows an approval popup in any case.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic