Servoy Forum

Because in java 7 all code must be properly signed with a valid certificate, we followed these steps:

https://wiki.servoy.com/display/tutoria ... ertificate
https://wiki.servoy.com/display/tutoria ... +Authority
https://wiki.servoy.com/display/tutorials/JAR+signing

We got a free (test) certificate from the http://www.instantssl.com website and we got succesfully our crt file back vald for 90 days. Imported the crt file into our ks file succesfully (including the 'parents'). Then we used the ks file to sign all the jars in de application folder. Cleared the de java cache, restarted the Servoy applicationserver. When starting a smartclient this message comes up:
sun.security.validator.ValidatorException: Extended key usage does not permit use for code signing
at sun.security.validator.EndEntityChecker.checkCodeSigning(Unknown Source)
at sun.security.validator.EndEntityChecker.check(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.deploy.security.TrustDecider.getValidationState(Unknown Source)
at com.sun.deploy.security.TrustDecider.validateChain(Unknown Source)
at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

Are we doing something wrong?

Sounds like the certificate is not a code signing certificate, but "just" a SSL certificate. You need a code signing certificate.

Sounds like the certificate is not a code signing certificate, but "just" a SSL certificate. You need a code signing certificate.

So the Servoy documentation on this is wrong?

See: https://wiki.servoy.com/display/tutorials/JAR+signing

Hi Jos,

I guess you are referring to the page linked in that page (https://wiki.servoy.com/display/tutoria ... +Authority).
And indeed that talks about an SSL certificate. That page is correct when you want to use an SSL connection on your Servoy server but not for when you want to resign your jars. At least the reference to an SSL certificate is wrong in this context.

I'm indeed referring to the links on that page. May be someone can improve those explanations...? It is confusing for the non Java and/or non certificate experts
Since it gets mandatory to sign all the jars officially and properly in the near future...
Thanks!

We purchased indeed a codesigning certificate from Thawte (it took them 1.5 week to check us out (-: instead of the mentioned 2 or 3 working days) but the process itself is not very difficult. In the end you can pick-up a bunch of codelines that have to be copy-pasted into a file that can be imported in the original .ks file. Basicly I followed all the steps again in the above explanations. Now our software is properly signed with one trusted signature (don't forget de codebase flag: -Dcodebase=* in the actual signtester command. The * means it can be anything... ).
Except for the yellow box about the Permissions attribute in the jnlp file, but I understood this is going to dissappear by itself when the next update (Servoy? Java?) is released.