Maven NetBeans Module Plugin

Signing of already signed jars for Java Webstart application

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Won't Fix
  • Affects Version/s: 3.0
  • Fix Version/s: None
  • Component/s: None
  • Labels:
    None
  • Environment:
    All
  • Number of attachments :
    0

Description

For releasing webstart applications is crucial to have all jars included signed with one certificate of the releasing company. If these jars are not signed with one unified certificate, Java Webstart system asks for each unsigned (or jar with another signature) if user agrees and grants access to the system.

For this case, we need to sign all jars, included in package, with one certificate. As we looked into source code of this plugin, one part of signing is in org.netbeans.nbbuild.MakeJNLP#signOrCopy(from, to), another in CreateWebstartAppMojo (for jnlp-launcher.jar and branding jars). As all these uses the ant SignJar task, we submit issue with patch, allowing us to force signing of jars (see https://issues.apache.org/bugzilla/show_bug.cgi?id=46891). But we are not sure, if this will be accepted, because solving of issues in ant is really slow.

Another solution is usage of Maven Jar Plugin. But this plugin denied to sign already signed jar. In this case, we must submit patch, allowing us to force signing of already signed jars. But there is problem with the MakeJNLP task. Using this solution, we must disable signing of jars in MakeJNLP and sign jars programmatically using JarSignMojo from Maven Jar Plugin.

We can see, that the first solution with modification of SignJar task is more complex as it solves problems with signing in both MakeJNLP task and CreateWebstartAppMojo, but we can expected long delay before the patch will be accepted (or worst - rejected). Another solution is not so conceptual, but maybe more clear.

As last instance, we can also contribute modified JarSignMojo class from Maven Jar Plugin , that was used in our corporate modified Maven NBM plugin 2.7 for creating webstart application. This must be also used programatically as the previous solution directly using Maven Jar Plugin.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Pavel Jisl added a comment - - edited

Yesterday we received information, that our issue in Apache Ant (https://issues.apache.org/bugzilla/show_bug.cgi?id=46891) for signing of already signed jars was resolved with status fixed. It will be available in Apache Ant version 1.8.0. But there is not release plan yet and this version will be available in few moths.

If new version of Ant will be available, solving of this issue will be easy in both netbean's MakeJNLP and this plugin.

Show
Pavel Jisl added a comment - - edited Yesterday we received information, that our issue in Apache Ant (https://issues.apache.org/bugzilla/show_bug.cgi?id=46891) for signing of already signed jars was resolved with status fixed. It will be available in Apache Ant version 1.8.0. But there is not release plan yet and this version will be available in few moths. If new version of Ant will be available, solving of this issue will be easy in both netbean's MakeJNLP and this plugin.
Hide
Permalink
Milos Kleint added a comment -

a temporary solution for the time being could be to identify the jars that are signed, create unsigned copies and place them in a repository manager of yours. Just an idea, I didn't try myself.

Show
Milos Kleint added a comment - a temporary solution for the time being could be to identify the jars that are signed, create unsigned copies and place them in a repository manager of yours. Just an idea, I didn't try myself.
Hide
Permalink
Benjamin Bentmann added a comment -

The new maven-jarsigner-plugin now supports a paramter removeExistingSignatures to unsign JARs before re-signing.

Show
Benjamin Bentmann added a comment - The new maven-jarsigner-plugin now supports a paramter removeExistingSignatures to unsign JARs before re-signing.
Hide
Permalink
Jesse Glick added a comment -

Currently MakeJNLP does not pass force="true" to SignJar, so a fix would need to wait until the next NB release when a new version of the harness can be bundled.

But I am not convinced that is the correct fix anyway. If some incoming JARs already have signatures, it is generally preferable to leave that signature alone. The user must accept that certificate authority if they have not done so already, but as for the main publisher of the app, this is a one-off acceptance (and can be reused for other components). And this is what the harness already does: MakeJNLP checks for extension JARs which are already signed, and copies them unmodified to the output, with a separate *.jnlp file.

Show
Jesse Glick added a comment - Currently MakeJNLP does not pass force="true" to SignJar, so a fix would need to wait until the next NB release when a new version of the harness can be bundled. But I am not convinced that is the correct fix anyway. If some incoming JARs already have signatures, it is generally preferable to leave that signature alone. The user must accept that certificate authority if they have not done so already, but as for the main publisher of the app, this is a one-off acceptance (and can be reused for other components). And this is what the harness already does: MakeJNLP checks for extension JARs which are already signed, and copies them unmodified to the output, with a separate *.jnlp file.

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.