JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Classic Servoy
1

See http://wiki.servoy.com/x/SpV7 for a comprehensive overview of running Servoy i.c.w. Java 6 update 19

Paul

2

Hi. I followed all steps in the referenced wiki.

Everything went smoothly, until I went to have the client connect.

I got this error:

JAR resources in JNLP file are not signed by same certificate

JNLPException[category: Launch File Error : Exception: null : LaunchDesc: 
<jnlp spec="1.0+" codebase="http://192.168.1.115:8080/" href="http://192.168.1.115:8080/servoy-client/plugins/pdf_output.jar.jnlp">
  <information>
    <title>Servoy Client Plugins</title>
    <vendor>Servoy and Others</vendor>
    <homepage href="null"/>
    <offline-allowed/>
  </information>
  <security>
    <all-permissions/>
  </security>
  <update check="timeout" policy="always"/>
  <resources>
    <jar href="http://192.168.1.115:8080/plugins/pdf_output.jar" version="1271907936370" part="pdfoutput" download="eager" main="false"/>
    <jar href="http://192.168.1.115:8080/plugins/pdf_output/itext.jar" version="2.0.3" part="itext" download="eager" main="false"/>
    <jar href="http://192.168.1.115:8080/plugins/pdf_output/bcmail-jdk14-135.jar" version="1.35.0" part="bouncycastle" download="eager" main="false"/>
    <jar href="http://192.168.1.115:8080/plugins/pdf_output/bcprov-jdk14-135.jar" version="1.35.0" part="bouncycastle" download="eager" main="false"/>
    <package name="com.lowagie." part="itext" recursive="true"/>
    <package name="org.bouncycastle." part="bouncycastle" recursive="true"/>
  </resources>
  <component-desc/>
</jnlp> ]
	at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareLaunchFile(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source

I cleared the cache on the client, still same error.

Any ideas on this one?

Client is on Windows XP - Java 1.6.0
Server is Windows 7 running Servoy 4.1.6

3

Apparently the jars described in the jnlp are not all signed using the same keystore.
Are you sure all these jar are signed with the same keystore:

  • pdf_output.jar
  • itext.jar
  • bcmail-jdk14-135.jar
  • bcprov-jdk14-135.jar

When you run signtester.jar to detect the ones which are not signed, does it detects all of them or just a few?

4

the problem here is again the version attributes in these:

instead of version=“1.35.0” make it version=“%%version%%”

5

Hi,
Ive just used the signing tool following the instructions on the wiki, i managed to sign everything. Now after this i installed one of the newely signed jars on the server (where i couldnt install it before because it was unsigned and my app wouldnt work) and the app is downloaded and verified correctly(i dont get any error for unsigned jars), but my client freezes while loading. I tryied it on another pc and it works, i erased the java webstart cache and its still no good.
Im getting this error on the server log:

2010-07-19 17:18 ClientExportNotifyListner[6] ERROR com.servoy.j2db.util.Debug Signalling channel lost when reading pings or client export notifies, removing ports:
I/O exception, see log for full details: Connection reset

Any idea what could it be? Im using servoy 5.1.2 and JRE 6.20
Thanks.

6

Do enable the java webstart console for that specific pc.
And do wait at least a few minutes (to see if it really doesnt report a time out error)

This looks more of a connection problem with that specific pc. Is it behind a firewall? or are there virus scannners on that pc that maybe could interfere?

7

Do enable the java webstart console for that specific pc.

How do i do that?

The thing is that the client worked just fine before i started the procces of signing the jars, i didnt changed any configuration or anything else. Once i finished signing and intalled the plugin on the server it stopped working on this pc

8

singing the jars shouldnt matter at all on the execution (when the client does start up and you see the main window)
If there where stuff related to signing it should have reported it a bit earlier.

In the java preferences (in the control panel of windows) you can enable the java console.

9

i enabled the console and the only difference is that now i see a security popout saying that java detected application components that may denote security problems, and it asks if i want to prevent their execution but i get no chance to answer since it all freezes, the client, the console and the popout.

10

The dialog has a bug in it that prevents the user from allowing some jars to execute.
What you could do on this client - as a workaround until the next update correct this bug - is to disable the mix-code verification.

Go to the java panel, in the advanced tab, under the security node / mix code, and choose to disable the verification.
Then restart your app, the dialog should not appear again.

11

the error sounds also a lot that you dont have signed everything…
You have to sign everything also 3th party plugins.

12

I disabled the verification and it works now, thanks a lot patrick.
Is there any idea of when will this be fixed?

regarding to what u said johan isnt the signtester supposed to check every plugin? (even 3rd party ones?) If i run it, every plugin passes, no one fails to validate. So i dont know what could be the problem

13

Hum, there’s one case where the signtester tool would not operate: if you use the overwrite option to resign ALL the jars, one jar that will never be resigned is the /beans/swingbeans.jar - I have added an explicit test about it in the JarUnsigner class.

FYI, the overwrite options does this:
foreach jar (except swingbeans.jar)
unsign = { unjar, remove all signature files, jar again }
sign using the keystore provided
end

This is because the sign tool was not capable of signing the swingbeans.jar which is empty (apart from the manifest), so I avoid unsigning it because re-signing it will fail. Now what can happen is that if you resign all your jars and you have the swingbeans.jar in the /beans subfolder, you might still have an alert about mix-code because the signature will not be the same (and I believe that Servoy is loading all the beans using one jnlp extension)

Johan, maybe this particular jar could be loaded apart from all the others?
Or do you have a suggestion to sign this one using the signtester tool?

14

that jar isnt loaded to the client.
Just look at the generated jnlp file, in the later version (released after 6.19) swing beans is not included
That one is only really needed in the developer.

But that mixed mode checking should only happen if there is signed and none signed code, so with a default install and the default java settings do you have the same problem?

15

I have the same problem, this is a way to unsigning jars

jar xf name.jar – extract the jar
remove the META DATA.
remove the jar
jar cf name.jar org/ License/ README.TXT

jar xf extract jar
jar cf create jar

after that sign the jar

jarsigner -keystore name.ks -storepass password -keypass password name.jar alias
jarsigner -verify name.jar

16

I have a question about plugins having a jnlp which calls several jars not signed using the same certificate. Do we have to manually unsign them and resign them?!
Here is the list of jars I’m using in my plugin:

<resources>
      <jar href="/plugins/agxchangeplugin.jar" download="eager" part="http" version="%%version%%"/>
	  <jar href="/plugins/agxchangeplugin/ant.jar" download="%%loadmethod%%" version="2.1"/>
  	  <jar href="/plugins/agxchangeplugin/commons-httpclient-contrib.jar" download="%%loadmethod%%" version="2.1"/>
	  <jar href="/plugins/agxchangeplugin/commons-transaction-1.1b2.jar" download="%%loadmethod%%" version="1.1b2"/>
	  <jar href="/plugins/agxchangeplugin/commons-vfs-1.1-patched-hc301-SNAPSHOT.jar" download="%%loadmethod%%" version="1.1"/>
	  <jar href="/plugins/agxchangeplugin/commons-xmlio-0.1pre.jar" download="%%loadmethod%%" version="0.1"/>
      <jar href="/plugins/agxchangeplugin/geronimo-spec-j2ee-1.0-M1.jar" download="%%loadmethod%%" version="1.0"/>
	  <jar href="/plugins/agxchangeplugin/commons-xmlio-0.1pre.jar" download="%%loadmethod%%" version="0.1"/>
	  <jar href="/plugins/agxchangeplugin/jdom-1.0.jar" download="%%loadmethod%%" version="1.0"/>
	  <jar href="/plugins/agxchangeplugin/commons-xmlio-0.1pre.jar" download="%%loadmethod%%" version="1.0"/>
	  <jar href="/plugins/agxchangeplugin/webdavclient4j-ant-0.92.jar" download="%%loadmethod%%" version="0.92"/>
	  <jar href="/plugins/agxchangeplugin/webdavclient4j-cmd-0.92.jar" download="%%loadmethod%%" version="0.92"/>
	  <jar href="/plugins/agxchangeplugin/webdavclient4j-core-0.92.jar" download="%%loadmethod%%" version="0.92"/>
	  <jar href="/plugins/agxchangeplugin/webdavclient4j-jca-0.92.jar" download="%%loadmethod%%" version="0.92"/>
	  <jar href="/plugins/agxchangeplugin/webdavclient4j-vfs-0.92.jar" download="%%loadmethod%%" version="0.92"/>
	  <jar href="/lib/commons-logging.jar" download="%%loadmethod%%" version="3.0"/>
   </resources>
17

you have 2 options

sign them all with the same certificate, the great tool from patrick can help you with that.

or give every jar (set) that has the same certificate a jnlp file and include the jnlp file(s) of that in your main jnlp file.

18

jcompagner:
you have 2 options

sign them all with the same certificate, the great tool from patrick can help you with that.

or give every jar (set) that has the same certificate a jnlp file and include the jnlp file(s) of that in your main jnlp file.

Ok, the second solution looks “cleaner” to me.

Thanks :D

19

Hello I have some doubts about this.

The first is in what directory i have to put the signister and my key? in application server?

The second is if i used this comand:

java -jar signtester.jar pentakeystore.ks pentamsi PentaPlugins

is correct for singin all hthe jar in the plugins folder?

And the last, i running the app in the server, but give me this error:

<?xml version="1.0" encoding="UTF-8" standalone="no"?><jnlp codebase="http://localhost:8080" href="/servoy-client/plugins/servoy_jasperreports.jar.jnlp" spec="1.0+">
	<information>
		<title>Servoy Client Plugins</title>
		<vendor>Servoy and Others</vendor>
	</information>
	<resources> 
		<jar download="eager" href="/plugins/servoy_jasperreports.jar" version="1322233376000"/>
      <jar download="eager" href="/plugins/servoy_jasperreports/commons-io.jar" part="commons-io" version="1322233406000"/>
         <package name="org.apache.commons.io.*" part="commons-io" recursive="true"/>
      <jar download="eager" href="/lib/commons-collections.jar" part="commons-collections" version="1305029539677"/>
         <package name="org.apache.commons.collections.*" part="commons-collections" recursive="true"/>
      <jar download="eager" href="/lib/commons-logging.jar" part="commons-logging" version="1305029539795"/>
         <package name="org.apache.commons.logging.*" part="commons-logging" recursive="true"/>
      <jar download="eager" href="/lib/commons-dbcp.jar" part="commons-dbcp" version="1305029539715"/>
         <package name="org.apache.commons.dbcp.*" part="commons-dbcp" recursive="true"/>
         <package name="org.apache.commons.jocl.*" part="commons-dbcp" recursive="true"/>
      <jar download="eager" href="/plugins/servoy_jasperreports/jasperreports-4.5.1.jar" version="1337698808000"/>
      <jar download="eager" href="/plugins/servoy_jasperreports/commons-beanutils-1.8.2.jar" part="commons-beanutils" version="1337699285093"/> 
         <package name="org.apache.commons.beanutils.*" part="commons-beanutils" recursive="true"/> 
      <jar download="eager" href="/plugins/servoy_jasperreports/commons-digester-2.1.jar" part="commons-digester" version="1337699286499"/> 
         <package name="org.apache.commons.digester.*" part="commons-digester" recursive="true"/> 
      <jar download="eager" href="/plugins/servoy_jasperreports/iText-2.1.7.jar" part="itext" version="1322233410000"/> 
         <package name="com.lowagie.*" part="itext" recursive="true"/> 
      <jar download="eager" href="/plugins/servoy_jasperreports/jdt-compiler-3.1.1.jar" part="jdt-compiler" version="1322233418000"/> 
         <package name="org.eclipse.jdt.*" part="jdt-compiler" recursive="true"/> 
      <jar download="eager" href="/plugins/servoy_jasperreports/poi-3.7-20101029.jar" part="poi" version="1337699300734"/> 
         <package name="org.apache.poi.*" part="poi" recursive="true"/>  
	</resources> 
	<component-desc/> 
	<security>
		<all-permissions/>
	</security>
</jnlp>

Thanks for all

20

pentamsi:
The first is in what directory i have to put the signister and my key? in application server?

Yes, the application_server folder is the right one.

pentamsi:
The second is if i used this comand:
CODE: SELECT ALL
java -jar signtester.jar pentakeystore.ks pentamsi PentaPlugins
is correct for singin all hthe jar in the plugins folder?

Starting from the application server this will sign all the jar files in the plugin folder, bean folder and lib folder and eventually some additional jar files which the browser suite depends on (only applicable if you’re using this suite)

pentamsi:
And the last, i running the app in the server, but give me this error:

CODE: SELECT ALL

<?xml version="1.0" encoding="UTF-8" standalone="no"?> Servoy Client Plugins Servoy and Others

I don’t see any error, but I can imagine executing the client will break on the JasperReports plugin when you just signed your plugins.
This plugin has dependencies in the application_server/lib folder and all files of 1 vendor (servoy in this case) should be signed by the same certificate.

Hope this helps