certificates & Java

Oke,

we are about to deploy to 5.1.2. We have installed now also all the 3th party plugins with signed certificates.
But we have to go to 5 screens??? (And later maybe more…)

Servoy B.V. - we have to click: TRUST, because it cannot be verified, jnlp is not signed
Trapman Marcellinus (IT2BE) - we have to click: INSTALL
iTech Professionals, Inc. (ServoyGuy) - we have to click: INSTALL
D.r Maison & Partner GmbH - we have to click: INSTALL
Direct ICT (couple of self signed jars, jasper plugin 3.0, sintpro scanner plugin) - we have to click TRUST
Patrick Talbot Open Source Developer - we have to click INSTALL.

I know this is only once, but does every customer of us, need to do this??
Is this something than can be optimized??
we realize that for every new plugin-developer (with his own certificate) we get an extra screen… This can’t be true right?

You can thank Oracle for this!
And unfortunately there’s nothing here that can be optimized

Servoy, can you tell something about this? will or can there be things optimized? (or in future releases?)

no that is out of our hands.
Its webstart/java asking all these questions.

Or you have to sign everything yourself (as a customer) with the same certificate.
Then you only will get it once.

Oke, I was also thinking in that direction.
But how can this be done easily? We get all the jars now, (Servoy AND 3th party plugins) signed allready.
How do we remove the the existing certificates? and most of all, can we do that, without breaking something??

Is this something, that the signtester.jar could do?

Hi,

Or you have to sign everything yourself (as a customer) with the same certificate.
Then you only will get it once.

How would you go about doing the above ?

wvitpr:
Hi,

Or you have to sign everything yourself (as a customer) with the same certificate.
Then you only will get it once.

How would you go about doing the above ?

Read the sticky on the top in iServoy and read to the wiki pages.

Harjo:
Oke, I was also thinking in that direction.
But how can this be done easily? We get all the jars now, (Servoy AND 3th party plugins) signed allready.
How do we remove the the existing certificates? and most of all, can we do that, without breaking something??

Is this something, that the signtester.jar could do?

It was something I wanted to advice you at first as well but there is no guarantee that it will not break a jar.
Our jars won’t break but there are a couple of jars that will.
Apart from that it is debatable if it is allowed to replace a signature…

i think with the current java version (>6_u14) you can double sign the jars.
(else you really have to remove it from the jar itself in the meta-inf dir)
So if double signing works, you could try to sign all the jars in the application_server dir with your own certificate.
Just loop over all the jars in a script and execute jarsigner of the jdk for all the jars.

jcompagner:
Just loop over all the jars in a script and execute jarsigner of the jdk for all the jars.

yeah, I’m an expert in that!

So nothing to expect from Servoy to ease things up?

I guess that we should start building for the browsers only. Good bye smarty client!

Can any of the super heroes in Servoy write and script that would do what Compagner suggested above?

Hi Johan,

jcompagner:
Just loop over all the jars in a script and execute jarsigner of the jdk for all the jars.

Any syntax, example scripts, etc for us ?

oke, seams I’m not the only one, struggling with this.
(And also not liking the multiple certificate windows)

oke, surfing the internet, I found this: http://mojo.codehaus.org/webstart/webst … en-plugin/

auto signing?
Maybe someone of Servoy could take a look of this…

If you don’t like all of the dialogs, you can just unzip the jars, remove the signing stuff from the meta-inf directory, then rezip into the jar file, and then sign all of them with your own certificate. Then you just get one extra dialog.

just ? For most Servoy developers there is no ‘just do this’ in this case.

1. First unzip the jar. Place it in its own folder so it is easy to work with. Open terminal or some command line and navigate to where you placed the plugin jar. Run this command

jar -xvf pluginname.jar

2. Then remove the signing stuff from when it was previously signed. You should see 2 files in the META-INF folder after you ran the previous command. One ends in “.RSA” and the other in “.SF”. Remove both of the files

3. Zip the jar back up. First remove the previous pluginname.jar from the folder so it doesn’t get zipped into itself. Then run this command (again inside of the directory where it was previously unzipped)

jar -cf pluginname.jar *

4. Now you have pluginname.jar that is unsigned. Next resign with your own certificate. Step-by-step instructions at my site: http://www.servoyguy.com/knowledge_base … _and_beans

The place I found to purchase my certificate was only $99 per year, and cheaper when you buy multi-year.

WOW. Thanks!

I think we should have a protocol or code of good practice that recognizes the owner or ‘creator’ of the original jars. Any idea on how this new single certificate should reflect the various original owners?

The JNLP files still show who the original owner is (will be displayed as the JARS download). However the SSL Cert will determine what shows up in the dialog when the user is asked to accept the security, etc. So, by signing someone else’s plugin, you’re essentially vouching for the developer to tell your users that the code is safe to run.

Scott, thanks for your reply & explanation, but
we are talking about 201 jar files (every jar I could find under application_server)
AND with every update of Servoy or 3th party plugin/bean, you have to do it again, all by hand…

This is undoable IMHO…

Maybe this ant-macro can do the job http://frank.neatstep.com/node/29.

If so, we can also make an ant-macro that does the signing with our own certificate. Then we could to this from within eclipse and it would be a piece of cake…