JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Questions and Answers on installation, deployment, management, locking, tranasactions of Servoy Application Server

JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby pbakker » Wed Apr 14, 2010 5:15 pm

See http://wiki.servoy.com/x/SpV7 for a comprehensive overview of running Servoy i.c.w. Java 6 update 19

Paul
pbakker
 
Posts: 2822
Joined: Wed Oct 01, 2003 8:12 pm
Location: Amsterdam, the Netherlands

Re: JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby chico » Thu Apr 22, 2010 6:05 am

Hi. I followed all steps in the referenced wiki.

Everything went smoothly, until I went to have the client connect.

I got this error:

Code: Select all
JAR resources in JNLP file are not signed by same certificate

JNLPException[category: Launch File Error : Exception: null : LaunchDesc:
<jnlp spec="1.0+" codebase="http://192.168.1.115:8080/" href="http://192.168.1.115:8080/servoy-client/plugins/pdf_output.jar.jnlp">
  <information>
    <title>Servoy Client Plugins</title>
    <vendor>Servoy and Others</vendor>
    <homepage href="null"/>
    <offline-allowed/>
  </information>
  <security>
    <all-permissions/>
  </security>
  <update check="timeout" policy="always"/>
  <resources>
    <jar href="http://192.168.1.115:8080/plugins/pdf_output.jar" version="1271907936370" part="pdfoutput" download="eager" main="false"/>
    <jar href="http://192.168.1.115:8080/plugins/pdf_output/itext.jar" version="2.0.3" part="itext" download="eager" main="false"/>
    <jar href="http://192.168.1.115:8080/plugins/pdf_output/bcmail-jdk14-135.jar" version="1.35.0" part="bouncycastle" download="eager" main="false"/>
    <jar href="http://192.168.1.115:8080/plugins/pdf_output/bcprov-jdk14-135.jar" version="1.35.0" part="bouncycastle" download="eager" main="false"/>
    <package name="com.lowagie." part="itext" recursive="true"/>
    <package name="org.bouncycastle." part="bouncycastle" recursive="true"/>
  </resources>
  <component-desc/>
</jnlp> ]
   at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source)
   at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
   at com.sun.javaws.Launcher.prepareLaunchFile(Unknown Source)
   at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
   at com.sun.javaws.Launcher.launch(Unknown Source)
   at com.sun.javaws.Main.launchApp(Unknown Source)
   at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
   at com.sun.javaws.Main$1.run(Unknown Source)
   at java.lang.Thread.run(Unknown Source



I cleared the cache on the client, still same error.

Any ideas on this one?

Client is on Windows XP - Java 1.6.0
Server is Windows 7 running Servoy 4.1.6
--------------------------------------------
Servoy Version: 6.0.3
DB: MySQL 5.1
Win XP/Vista/7 - Java 5u20 / 6u22
OS X - 10.6.5 - Java 5/6 update 3
chico
 
Posts: 271
Joined: Tue Nov 20, 2007 6:34 am

Re: JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby Foobrother » Thu Apr 22, 2010 9:52 am

Apparently the jars described in the jnlp are not all signed using the same keystore.
Are you sure all these jar are signed with the same keystore:
  • pdf_output.jar
  • itext.jar
  • bcmail-jdk14-135.jar
  • bcprov-jdk14-135.jar

When you run signtester.jar to detect the ones which are not signed, does it detects all of them or just a few?
Current configuration: Servoy 5.2.6 Build 1011, Java 6u24, PostgreSQL 8.3, Windows Server 2003

Servoy / Java Developer
http://www.assetguardian.com
User avatar
Foobrother
 
Posts: 530
Joined: Tue Jan 13, 2009 5:46 pm

Re: JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby jcompagner » Thu Apr 22, 2010 12:14 pm

the problem here is again the version attributes in these:

<jar href="http://192.168.1.115:8080/plugins/pdf_output/itext.jar" version="2.0.3" part="itext" download="eager" main="false"/>
<jar href="http://192.168.1.115:8080/plugins/pdf_output/bcmail-jdk14-135.jar" version="1.35.0" part="bouncycastle" download="eager" main="false"/>
<jar href="http://192.168.1.115:8080/plugins/pdf_output/bcprov-jdk14-135.jar" version="1.35.0" part="bouncycastle" download="eager" main="false"/>

instead of version="1.35.0" make it version="%%version%%"
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8829
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby nromeou » Mon Jul 19, 2010 10:40 pm

Hi,
Ive just used the signing tool following the instructions on the wiki, i managed to sign everything. Now after this i installed one of the newely signed jars on the server (where i couldnt install it before because it was unsigned and my app wouldnt work) and the app is downloaded and verified correctly(i dont get any error for unsigned jars), but my client freezes while loading. I tryied it on another pc and it works, i erased the java webstart cache and its still no good.
Im getting this error on the server log:

2010-07-19 17:18 ClientExportNotifyListner[6] ERROR com.servoy.j2db.util.Debug Signalling channel lost when reading pings or client export notifies, removing ports: []
I/O exception, see log for full details: Connection reset

Any idea what could it be? Im using servoy 5.1.2 and JRE 6.20
Thanks.
nromeou
 
Posts: 215
Joined: Fri Sep 18, 2009 8:38 pm
Location: Montevideo, Uruguay

Re: JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby jcompagner » Tue Jul 20, 2010 4:20 pm

Do enable the java webstart console for that specific pc.
And do wait at least a few minutes (to see if it really doesnt report a time out error)

This looks more of a connection problem with that specific pc. Is it behind a firewall? or are there virus scannners on that pc that maybe could interfere?
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8829
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby nromeou » Tue Jul 20, 2010 8:19 pm

Do enable the java webstart console for that specific pc.

How do i do that?

The thing is that the client worked just fine before i started the procces of signing the jars, i didnt changed any configuration or anything else. Once i finished signing and intalled the plugin on the server it stopped working on this pc
nromeou
 
Posts: 215
Joined: Fri Sep 18, 2009 8:38 pm
Location: Montevideo, Uruguay

Re: JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby jcompagner » Wed Jul 21, 2010 9:00 am

singing the jars shouldnt matter at all on the execution (when the client does start up and you see the main window)
If there where stuff related to signing it should have reported it a bit earlier.

In the java preferences (in the control panel of windows) you can enable the java console.
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8829
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby nromeou » Fri Jul 23, 2010 9:00 pm

i enabled the console and the only difference is that now i see a security popout saying that java detected application components that may denote security problems, and it asks if i want to prevent their execution but i get no chance to answer since it all freezes, the client, the console and the popout.
nromeou
 
Posts: 215
Joined: Fri Sep 18, 2009 8:38 pm
Location: Montevideo, Uruguay

Re: JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby ptalbot » Sun Jul 25, 2010 6:55 am

The dialog has a bug in it that prevents the user from allowing some jars to execute.
What you could do on this client - as a workaround until the next update correct this bug - is to disable the mix-code verification.

Go to the java panel, in the advanced tab, under the security node / mix code, and choose to disable the verification.
Then restart your app, the dialog should not appear again.
Patrick Talbot
Freelance - Open Source - Servoy Valued Professional
https://www.servoyforge.net
Velocity rules! If you don't use it, you don't know what you're missing!
User avatar
ptalbot
 
Posts: 1654
Joined: Wed Mar 11, 2009 5:13 am
Location: Montreal, QC

Re: JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby jcompagner » Mon Jul 26, 2010 2:32 pm

the error sounds also a lot that you dont have signed everything..
You have to sign everything also 3th party plugins.
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8829
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby nromeou » Tue Jul 27, 2010 7:22 pm

I disabled the verification and it works now, thanks a lot patrick.
Is there any idea of when will this be fixed?

regarding to what u said johan isnt the signtester supposed to check every plugin? (even 3rd party ones?) If i run it, every plugin passes, no one fails to validate. So i dont know what could be the problem
nromeou
 
Posts: 215
Joined: Fri Sep 18, 2009 8:38 pm
Location: Montevideo, Uruguay

Re: JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby ptalbot » Tue Jul 27, 2010 7:49 pm

Hum, there's one case where the signtester tool would not operate: if you use the overwrite option to resign ALL the jars, one jar that will never be resigned is the /beans/swingbeans.jar - I have added an explicit test about it in the JarUnsigner class.

FYI, the overwrite options does this:
foreach jar (except swingbeans.jar)
unsign = { unjar, remove all signature files, jar again }
sign using the keystore provided
end

This is because the sign tool was not capable of signing the swingbeans.jar which is empty (apart from the manifest), so I avoid unsigning it because re-signing it will fail. Now what can happen is that if you resign all your jars and you have the swingbeans.jar in the /beans subfolder, you might still have an alert about mix-code because the signature will not be the same (and I believe that Servoy is loading all the beans using one jnlp extension)

Johan, maybe this particular jar could be loaded apart from all the others?
Or do you have a suggestion to sign this one using the signtester tool?
Patrick Talbot
Freelance - Open Source - Servoy Valued Professional
https://www.servoyforge.net
Velocity rules! If you don't use it, you don't know what you're missing!
User avatar
ptalbot
 
Posts: 1654
Joined: Wed Mar 11, 2009 5:13 am
Location: Montreal, QC

Re: JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby jcompagner » Tue Jul 27, 2010 11:11 pm

that jar isnt loaded to the client.
Just look at the generated jnlp file, in the later version (released after 6.19) swing beans is not included
That one is only really needed in the developer.

But that mixed mode checking should only happen if there is signed and none signed code, so with a default install and the default java settings do you have the same problem?
Johan Compagner
Servoy
User avatar
jcompagner
 
Posts: 8829
Joined: Tue May 27, 2003 7:26 pm
Location: The Internet

Re: JAR signing with Servoy >= 5.1.2, 4.1.6, 3.5.11 OR JRE=>6.19

Postby hovw » Mon Sep 27, 2010 10:30 pm

I have the same problem, this is a way to unsigning jars

jar xf name.jar -- extract the jar
remove the META DATA.
remove the jar
jar cf name.jar org/ License/ README.TXT

jar xf extract jar
jar cf create jar

after that sign the jar

jarsigner -keystore name.ks -storepass password -keypass password name.jar alias
jarsigner -verify name.jar
OSX 10.9.5 - 10.15.1
hovw
 
Posts: 33
Joined: Wed Nov 04, 2009 10:41 pm

Next

Return to Servoy Server

Who is online

Users browsing this forum: No registered users and 9 guests