We have released a new installer with an updated code signing certificate for all of our components. All users of servoy-plugins.de components are strongly encouraged to install the updates, since the old certificate is about to expire in a few days!
The new certificate will last the next three years, so you should have peace of mind then.
The new installer is available from servoy-plugins.de.
Hi,
If I install the new version ( log plugin) I get an error and the application wil not start :
java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.security.cert.CertPathValidatorException: java.security.InvalidKeyException: Wrong key usage
at sun.security.provider.certpath.OCSPResponse.verifyResponse(Unknown Source)
at sun.security.provider.certpath.OCSPResponse.<init>(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at sun.security.provider.certpath.OCSP.check(Unknown Source)
at com.sun.deploy.security.TrustDecider.doOCSPEEValidation(Unknown Source)
... 13 more
Caused by: java.security.InvalidKeyException: Wrong key usage
at java.security.Signature.initVerify(Unknown Source)
... 18 more
I have heard about this problem from a few people now and have decided to temporarily take down the updated installer until this issue is resolved with the issuer of the certificate. Unfortunately, their response time is not so great. In my tests on a Windows 7, Java 6 machine with a clean install of Servoy I had zero problems with the new certificate, but it seems that at least on the Mac it simply does not work.
I will provide the installer with all components signed with the expired certificate early next week. The old certificate will raise a warning when starting a client. That warning can be dismissed. As soon as the issuer has provided me with a fix or workaround for this, I will take the latest installer with a valid certificate back online.
I am very sorry about the inconveniences this causes to some of you. I am really annoyed by the ongoing hassles this “security” measurement causes to all people who simply want to provide enhancements to Servoy.
This is on windows 7 java 6.
B.t.w indeed, this is anoying !!
I greatly respect all the work the plugin builders do for us.
Maybe Servoy could/should assist them in these security issues.
Is it possible that they use the same certifcate mechanism/provider as servoy does, so we will not get into these kind of problems !!
Regards,
Hans Nieuwenhuis:
Maybe Servoy could/should assist them in these security issues.
Is it possible that they use the same certifcate mechanism/provider as servoy does, so we will not get into these kind of problems !!,
This has been discussed before but they can not
The idea behind the certification is that we, developers, are who we say that we are so that, in the event of a malware, we are traceable (my own interpretation).
Servoy can not and should not take responsibility for our work (and so far will not either).
If you want to avoid this ‘hassle’ you can remove the signatures and replace them with your own signature like some Servoy devs do.
Thanks Marcel.
I am not a security specialist.
Is it easy to work with my own certificates ??
Is there a kind of cookbook for this ?
Regards,
There is the signing tool on ServoyForge (https://www.servoyforge.net/projects/signtester) that makes this a fairly easy process.
More technical there is this: http://docs.oracle.com/javase/tutorial/ … index.html
And here a bit about the why: http://ssl.entrust.net/blog/?p=697
BTW, signing yourself will mean that you have to re-sign after each download of any component obviously.
That is just how it is.
I am still a bit puzzled by the certficates on our production server.
If for instance I look at the certificates from It2Be I see :
it2be Validity [From: Mon Apr 12 13:15:40 CEST 2010, To: Thu Apr 12 13:15:35 CEST 2012]
it2be Validity [From: Tue Feb 08 17:12:23 CET 2011, To: Thu Apr 12 13:15:35 CEST 2012]
But everything runs fine, with no warnings ?
How can this be ?
Regards,
It (also) depends on the Java settings and how you deal with certificate warnings.
Maybe you decided, at some point, to just trust them full stop.
Thanks Marcel,
So this means that ( with the correct java settings ) an expired certificate will keep “working” ?
Regards,
An expired certificate will always keep working (if I am not mistaken).
Depending on the settings obviously.
This error is caused when you have “enable online certificate validation” not checked in the Java Control panel advanced tab
Somehow certain certificates just must be validated online else they won’t validate…
ok the finally seems to have fixed this issue first for u12:
http://bugs.sun.com/bugdatabase/view_bu … id=7197652
that one has a release date i guess of June this year, but happily the seem to backport it to u11:
http://bugs.sun.com/bugdatabase/view_bu … id=8000784
so it seems to also be in u11 that is coming next month (Feb)