Modify

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#11331 closed defect (wontfix)

Generating jar file for tests with Java Web Start

Reported by: wiktorn Owned by: team
Priority: normal Milestone:
Component: Core Webstart Version:
Keywords: Cc: bastiK

Description (last modified by wiktorn)

To debug #11298 I'd like to check, how JOSM behaves when started by Java Web Start:

  1. I create josm-custom.jar using ant dist
  2. I put jnlp (attached) and jar file in c:\josm
  3. When I start jnlp, I get following exception
    com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: file:/c|/josm/josm-custom.jar
    
  4. So I try to sign the jar. Fist I generate the key for signature (with a little help from http://docs.oracle.com/cd/E19798-01/821-1751/ghlgv/index.html):

"c:\Program Files\Java\jdk1.7.0_76\bin\keytool.exe" -genkey -alias signature -keyalg RSA -keystore josm.jks

  1. Then I sign the jar using the command:

{{{"c:\Program Files\Java\jdk1.7.0_76\bin\jarsigner.exe" -keystore josm.jks -verbose josm-custom.jar signature
(...)

jar signed.

Warning:
The signer certificate will expire within six months.
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2015-07-09) or after any future revocation date.}}}

  1. I start Java Web Start again, and then I get "Application blocked by Java Security"


  1. Adding file:/// as exception in Java Configuration Security Panel doesn't help. When I host the jar on remote http:// url, it also doesn't help

Attachments (2)

josm.jnlp (1.0 KB) - added by wiktorn 6 years ago.
JNLP file
apllication blocked.png (30.4 KB) - added by wiktorn 6 years ago.

Download all attachments as: .zip

Change History (8)

Changed 6 years ago by wiktorn

Attachment: josm.jnlp added

JNLP file

Changed 6 years ago by wiktorn

Attachment: apllication blocked.png added

comment:1 Changed 6 years ago by wiktorn

Description: modified (diff)

comment:2 Changed 6 years ago by stoecker

Resolution: wontfix
Status: newclosed

Either you need to import your local key into Java or you need to get a officially accepted signing key. We have one on the server, but that's not freely available, as you can think :-)

Rules got more strict over the time, don't know how you can setup local exceptions or if this is possible at all anymore.

comment:3 Changed 6 years ago by stoecker

@bastiK:

As it seems you caused this ticket. If you know how, you probably should document the necessary steps in wiki.

comment:4 Changed 6 years ago by bastiK

I wasn't aware wiktorn is trying to run development builds as webstart. (Thought there are issues with what we ship.)

It would be nice to help Wiktor to investigate this caching issue with webstart as it seems to have rather big implications. Personally, I have little to no experience with jar signing, so if you or Vincent could give some pointers, this would be appreciated.

comment:6 in reply to:  2 Changed 6 years ago by wiktorn

Replying to Don-vip:

Please try https://josm.openstreetmap.de/download/josm-latest-debug.jnlp

Thank you, but I wanted to change a bit of code, to see what difference in behaviour I'll get.

Replying to stoecker:

Either you need to import your local key into Java or you need to get a officially accepted signing key. We have one on the server, but that's not freely available, as you can think :-)

I tried importing my key into cacerts (might be good material for wiki entry):

  1. Export the key:

"c:\Program Files\Java\jre8\bin\keytool.exe" -exportcert -keystore josm.jks -file sign.crt -alias signature

  1. Import the key into cacerts of default JRE (needs to have Admin/root rights):

"c:\Program Files\Java\jre8\bin\keytool.exe" -importcert -keystore "c:\Program Files\java\jre8\lib\security\cacerts" -file sign.crt -trustcacerts -storepass changeit

(changeit is defautl store password for Java)

But still - I get an exception that jar is not secured.

Though jarsigner also complains, even if I use local keystore:

C:\josm>"c:\Program Files\Java\jdk1.7.0_76\bin\jarsigner.exe" -verify josm-custom.jar -certs josm.jks
jar verified.

Warning:
This jar contains entries whose certificate chain is not validated.
This jar contains signed entries which are not signed by the specified alias(es).
This jar contains entries whose signer certificate will expire within six months.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2015-07-09) or after any
 future revocation date.

Re-run with the -verbose and -certs options for more details.

So this might be an clue, how to proceed with that further.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.