Reputation: 1733
"Your security settings have blocked a self-signed application from running" with a real pfx signed jar
I actually jarsign a java applet with this command :
jarsigner -storetype pkcs12 -keystore my_real_certificate.pfx my_applet.jar my_alias_certificate -storepass my_password
When I launch my applet, I get the following error :
Your security settings have blocked a self-signed application from running
When I want to verify the jar, the result appears as following :
jar verified.
Warning: This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing. This jar contains entries whose certificate chain is not validated. This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2017-05-22) or after any future revocation date.
For this warning :
This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing
I guess my certificate is not proper for jarsigning code. Could you tell me if this kind of warning would get me that kind of error on the client ? Or could I still use this certificate ?
For this warning :
This jar contains entries whose certificate chain is not validated.
I don't understand because my certificate was really validated by a CA (Thawte). Should I indicate to Java or into my Windows certificate manager the complete certificate chain (with CA Root and intermediate) ? If so, what happens for the users of this applet ? Should they also do this ?
Thanks in advance for your answers.
Upvotes: 0
Views: 4701
Answers (1)
Reputation: 719679
I guess my certificate is not proper for jarsigning code.
Correct.
Could you tell me if this kind of warning would get me that kind of error on the client ?
Yes.
Or could I still use this certificate ?
Not for code signing. (It could be valid for other purposes though.)
I don't understand because my certificate was really validated by a CA (Thawte).
That doesn't seem to be the problem.
Should I indicate to Java or into my Windows certificate manager the complete certificate chain (with CA Root and intermediate) ?
I don't think that would work. And even if it did ...
If so, what happens for the users of this applet ?
They will still find that the JAR that won't run >>for them<<.
Should they also do this ?
Bad idea. You are effectively telling them to compromise their security to run your software ... because you haven't used a valid JAR signing key.
Upvotes: 1
Related Questions
- Signed JAR being blocked by Java Security
- "Security settings have blocked a self-signed application from running" as developer
- Getting java.lang.SecurityException: attempted to open sandboxed jar as a Trusted-Library
- Java applet still getting security error after signing jar
- Issues in Launching the signed applet with java 7u45
- Jarsigner: "This jar contains entries whose certificate chain is not validated."
- Unable to sign the jar file properly
- Signed applet loading signed jar reading file error
- Problem signing jars for web applet
- Permissions error for a signed Java applet when including external JAR files