Hi
We are having major issues with the recently open sourced servoy-plugins.de and their security certificate. This problem has effectively rendered Servoy as unworkable in a major trial and is preventing users form loggin in. I am VERY interested to know if anyone using these plugins and beans is experiencing the same issues and whether they have found any work arounds.
Many thanks
Gordon
Have you tried self signing?
Thomas Parry:
Have you tried self signing?
Looks like I am going to have to figure out how this is done, its a bit of a disaster by all accounts mind you !!
Thanks
Gordon
Have a look at the ServoyForge project.
It is relatively straight forward
Just test to see if any or all of the Servoy jars need to be overwritten as well as other third party.
Hi Gordon,
Are you using the latest versions of the plugins?
I suggest you file issue reports on the appropriate project pages of these plugins if you still have issues.
If it’s an issue with signing then yes you could also self-sign them using the signtester.
Hope this helps.
To inform everyone of what happened: the certificate I used to sign the plugins has expired. So I contacted the issuer (Comodo) of the certificate and bought a renewal for another three years. I received the certificate, signed everything and tested it. All was fine.
Then I created a new installer and let everybody know it’s there. Soon after, complaints kept rolling in that the signature raises an error. On my system, I did not get that error. I contacted Comodo and asked them, but did not receive a useful answer. By playing around I figured out that the renewal certificate needed online validation (probably only the first time). Online validation has to be explicitly allowed in the settings of Java (Advanced/Security/General/Allow online validation).
Of course that was not what we wanted. Nobody knows about this, nobody wants to tell his users about this and some users are not even allowed to set this or have no online access. I talked to Comodo again and was told that this was a bug in Java and I should ask Oracle for a fix. To make a long story short: a few days ago I gave up discussing with them and received a refund. Now I am trying to find out what certificate (currently) works and get that. The odd thing is that my original certificate from Comodo did not suffer from this problem.
After I heard of the issues, I took the installer offline. I don’t think many people actually downloaded the installer with that problem certificate, but I don’t know. I am sorry for all who are hit by this, but please understand that this whole matter is a complete nightmare for all plugin providers. Many of us create their plugins in their free time and the least they want to deal with is this.
Until I have found a certificate that seems to work fine, I have signed everything with the expired certificate again. This will only raise a warning once (at least as far as I have seen). The installer is available again.
Patrick
That’s bad indeed.
FYI, I’ve renewed last march my certificate to use a GlobalSign certificate.
Just checked and I’ve been using it with the ‘activate online verification of certificates’ flag set to false, so it seems like a good choice, they aare also one of the rare that provide signing certificate for individual developers.
http://www.globalsign.com/code-signing/
Like Patrick I use GlobalSign as well.
Although my first experience with them (2 years ago) was not that good I decided to stick with them.
When generating my certificates I checked that it would be possible to use unverified certificates and it is (when the Java settings allow it).
That confirms what Patrick already stated.