Reputation: 1430
Morena signed Jars causing problems with my Jars
Im using the Morena API's in order to make use of scanners thorough Java. However the Morena jar's have been signed using a different key then the rest of my project. This is causing problems when I'm trying to run my applet and gives the following runtime exception:
"Jar resources in JNLP file are not signed by the same certificate"
I am using netbeans for my project, so how can I force Morena to use my signature rather then the one it came with?
JNLP Files that are auto generated by netbeans:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<jnlp href="launch.jnlp" spec="1.0+">
<information>
<title>ArFile</title>
<vendor>Matthew Pigram</vendor>
<homepage href="http://www.allcarecomputerservices.com"/>
<description>ArFile is designed to allow users to effectively manage documents through a convenient cloud storage facility</description>
<description kind="short">ArFile</description>
</information>
<update check="always"/>
<security>
<all-permissions/>
</security>
<resources>
`<j2se java-vm-args="-Djava.security.policy=applet.policy" version="1.6+"/>
<jar href="ArFile.jar" main="true"/>
<jar href="lib/commons-codec-1.4.jar"/>
<jar href="lib/jdom.jar"/>
<jar href="lib/security-1.1.jar"/>
<jar href="lib/emcesu.jar"/>
<jar href="lib/commons-io-2.3-javadoc.jar"/>
<jar href="lib/commons-io-2.3-sources.jar"/>
<jar href="lib/commons-io-2.3-test-sources.jar"/>
<jar href="lib/commons-io-2.3-tests.jar"/>
<jar href="lib/commons-io-2.3.jar"/>
<jar href="lib/jodconverter-core-3.0-beta-4.jar"/>
<jar href="lib/juh-3.2.1.jar"/>
<jar href="lib/jurt-3.2.1.jar"/>
<jar href="lib/ridl-3.2.1.jar"/>
<jar href="lib/unoil-3.2.1.jar"/>
<jar href="lib/mail.jar"/>
<jar href="lib/log4j-1.2.16.jar"/>
<jar href="lib/morena.jar"/>
<jar href="lib/morena_windows.jar"/>
</resources>
<applet-desc height="604" main-class="com.allcare.arfile.ArFileJApplet" name="ArFile" width="756">
</applet-desc>
</jnlp>`
And also this one:
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="${jnlp.codebase.value}">
<information>
<title>jnlpcomponent1</title>
<vendor>JARSIGNI</vendor>
</information>
<security>
<all-permissions/>
</security>
<resources>
<jar href="lib/morena.jar" download="eager"/>
<jar href="lib/morena_windows.jar" download="eager"/>
</resources>
<component-desc/>
</jnlp>
Upvotes: 0
Views: 885
Answers (2)
Reputation: 11875
This is the way Java Web Start ensures that the jars that the client downloads are not compromised with. It is a security feature.
What you can do is try signing the Morena jar using your certificate rather than the default one.
Using keytool and jarsigner you can sign the jars.
EDIT : Beginning with Java Web Start 1.5.0, you can multiply sign the jar, adding code signing certificates over another existing certificate chain
http://docs.oracle.com/javase/1.5.0/docs/guide/javaws/developersguide/faq.html#221
So you can sign the Morena jar with your signature and that will resolve the issue.
Upvotes: 1
Reputation: 168845
Here are two ways to solve this problem:
- Move the Morena API Jars into a JWS extension. This would be the best way to go, since it can claim it's own level of privileges, and be reused in other apps.
- Strip the digital signatures from the Morena Jars and sign them with your own certificate.
Upvotes: 1
Related Questions
- ClassNotFoundException only if JAR is signed
- Java applet still getting security error after signing jar
- Signed Java applet suddenly has mixed code warning
- Jarsigner: "This jar contains entries whose certificate chain is not validated."
- Signed applet with valid CA still showing up as unknown publisher
- Author is unknown for signed jar
- Using local Jar from signed applet
- Unable to sign the jar file properly
- Signed applet loading signed jar reading file error
- Problem signing jars for web applet