Modify

Opened 8 years ago

Closed 8 years ago

Last modified 19 months ago

#9204 closed enhancement (fixed)

Security warning when starting JOSM with Java 7u45/Webstart

Reported by: gwgwgwgw@… Owned by: team
Priority: normal Milestone: 13.12
Component: Core Webstart Version: tested
Keywords: Security warning java7 webstart Cc: stoecker, blackadder

Description (last modified by Don-vip)

Since a few weeks i got a security warning when starting JOSM on this computer. Have a look to the screenshots (if it works to append them). Language of screenshots is German because of my system.
It seems that JOSM needs an update in the JAR manifest / certificate.

my system:
OS: Win7 professional 64bit german
JRE: 1.7.0.45
JOSM: 6238 (installed and webstart)

What is the expected result?
starting without security warning (from windows?) as usual

What happens instead?
I alway must accept a security warning:


no problem on another computer with XP instead of win7 64bit but same JRE and JOSM versions.

Please provide any additional information below. Attach a screenshot if
possible.

how can i append a image ???
please tell me a way to upload the 3 png files (each ~50kb)



Repository Root: http://josm.openstreetmap.de/svn
Build-Date: 2013-09-20 01:34:27
Last Changed Author: Don-vip
Revision: 6238
Repository UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b
URL: http://josm.openstreetmap.de/svn/trunk
Last Changed Date: 2013-09-20 00:19:19 +0200 (Fri, 20 Sep 2013)
Last Changed Rev: 6238

Identification: JOSM/1.5 (6238 de) Windows 7 64-Bit
Memory Usage: 116 MB / 247 MB (23 MB allocated, but free)
Java version: 1.7.0_45, Oracle Corporation, Java HotSpot(TM) Client VM
VM arguments: [-Djava.security.policy=file:C:\Program Files (x86)\Java\jre7\lib\security\javaws.policy, -DtrustProxy=true, -Xverify:remote, -Djnlpx.home=C:\Program Files (x86)\Java\jre7\bin, -Djnlpx.origFilenameArg=C:\Users\katharina\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\73111055-443c2a1e, -Djnlpx.remove=false, -Dsun.awt.warmup=true, -Xbootclasspath/a:C:\Program Files (x86)\Java\jre7\lib\javaws.jar;C:\Program Files (x86)\Java\jre7\lib\deploy.jar;C:\Program Files (x86)\Java\jre7\lib\plugin.jar, -Djava.util.Arrays.useLegacyMergeSort=true, -Djnlpx.splashport=49163, -Djnlp.application.href=http://josm.openstreetmap.de/download/josm.jnlp, -Djnlpx.jvm=C:\Program Files (x86)\Java\jre7\bin\javaw.exe, -Djnlpx.vmargs=-Djava.util.Arrays.useLegacyMergeSort=true -Djnlp.application.href=http://josm.openstreetmap.de/download/josm.jnlp]
Dataset consistency test: No problems found

Plugin: FixAddresses (29854)
Plugin: HouseNumberTaggingTool (29854)
Plugin: ImportImagePlugin (29854)
Plugin: PicLayer (29854)
Plugin: RoadSigns (29854)
Plugin: buildings_tools (29854)
Plugin: continuosDownload (28565)
Plugin: geotools (29767)
Plugin: jts (29854)
Plugin: log4j (29853)
Plugin: public_transport (29862)
Plugin: terracer (29854)
Plugin: utilsplugin2 (29854)

Attachments (3)

JOSM_SecurityWwarning.png (159.0 KB) - added by gwgwgwgw@… 8 years ago.
javaWarning.png (32.4 KB) - added by Don-vip 8 years ago.
JavaWarnings.zip (85.8 KB) - added by jfd553 8 years ago.
Messages for version 6383

Download all attachments as: .zip

Change History (40)

Changed 8 years ago by gwgwgwgw@…

Attachment: JOSM_SecurityWwarning.png added

comment:1 Changed 8 years ago by bastiK

The warning message says:

This application will be blocked by a future Java security update because the Manifest file is missing the attribute "Permissions"

Java doc on the permissions attribute: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#permissions.

comment:2 Changed 8 years ago by andre-r@…

I get the same message on Windows 8. In a second message, it says that the execution of unsigned application is going to be blocked in further releases of Java.

comment:3 Changed 8 years ago by anonymous

Same for me ...

This application will be blocked by a future Java security update ...
3 days ago

win7 ultimate 64bits English

comment:4 Changed 8 years ago by jfd553

Priority: normalblocker

comment:5 Changed 8 years ago by Don-vip

Cc: stoecker added
Keywords: java7 webstart added
Priority: blockernormal
Summary: Security warning when starting JOSM (Win7)Security warning when starting JOSM with Java 7u45/Webstart

I have added new attributes in manifest for r6341, let us know if it helps (at least the warning should change).
I'm afraid we'll need a real code signing certificate if we still want to support webstart after 7u51:
https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias

I've found this, it looks like both free and real:
http://www.certum.eu/certum/cert,offer_en_open_source_cs.xml

Dirk have you ever heard of them ? Do you think we could try if the certificate becomes mandatory ?

@jfd553: it's no blocker you can launch JOSM using "java -jar" and you won't have this warning.

Changed 8 years ago by Don-vip

Attachment: javaWarning.png added

comment:6 Changed 8 years ago by Don-vip

Description: modified (diff)

comment:7 in reply to:  5 ; Changed 8 years ago by stoecker

I've found this, it looks like both free and real:
http://www.certum.eu/certum/cert,offer_en_open_source_cs.xml

No never heard of them. Does java support that cert?

comment:8 in reply to:  7 Changed 8 years ago by Don-vip

Replying to stoecker:

http://www.certum.eu/certum/cert,offer_en_open_source_cs.xml

No never heard of them. Does java support that cert?

It looks like. I run this code with 7u45 to obtain a list of trusted root authorities and got this in the results:

[
  Version: V3
  Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 26092744893411540388438317258341764160018905418774192180361461402945546492948707583714589643328769201904393155780780994321263445492286739050571046485047278224445730006816866350865636157973240396103538865047004997375896846207485818339462748730314324589139001903248420313799088808471167487731903012520818711756111207758440443129213519902224648472814590380826431404715193981495090912212342166176050874035867029053010849803652788304723583414506196102074627643767089334581132335668088700274940771211992108882547541577021918090560727342061536913921276408306839845336869617091852813282878090469195767832490704730892569091417
  public exponent: 65537
  Validity: [From: Tue Jun 11 12:46:39 CEST 2002,
               To: Fri Jun 11 12:46:39 CEST 2027]
  Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
  SerialNumber: [    010020]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

]
[
  Version: V3
  Subject: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  Sun RSA public key, 2048 bits
  modulus: 28780109950673490306254008520204328276680352304439383733735743653646462886506779083416524709916492749727869755468102450312098964017512856684305239866883049173220526992268950171625448530014452579846861673872207817347799260697772899880047206334413446182341903863501835238150844425874207516649188630542180337896204970471783517680273145766364938733181828665205191659435524399874879953552221922241010719973897128144528139240504715660114782516261458207042723887562666304410864358682788652258719904961938284047727152397901800954435650268133633186714947372368516756190094396589909452932697654171757755829242208386287760177481
  public exponent: 65537
  Validity: [From: Wed Oct 22 14:07:37 CEST 2008,
               To: Mon Dec 31 13:07:37 CET 2029]
  Issuer: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
  SerialNumber: [    0444c0]

Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

[2]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 08 76 CD CB 07 FF 24 F6   C5 CD ED BB 90 BC E2 84  .v....$.........
0010: 37 46 75 F7                                        7Fu.
]
]

]

comment:9 Changed 8 years ago by Don-vip

Ticket #9249 has been marked as a duplicate of this ticket.

comment:10 Changed 8 years ago by Don-vip

Cc: blackadder added

comment:11 Changed 8 years ago by anonymous

No change till now (r6370). I get the same warning with the latest java and josm.
Holger

comment:12 Changed 8 years ago by Don-vip

Even the yellow message has not changed ? I expected it to report missing certificate and not missing permissions.

comment:13 Changed 8 years ago by Don-vip

Mmmm yes, the manifest used in signed jars does not contain the changes I introduced in r6341 :(

EDIT: ok understood, Makefile updated:

Index: Makefile
===================================================================
--- Makefile    (revision 51)
+++ Makefile    (working copy)
@@ -75,7 +75,7 @@
        grep ^Revision\: ${SOURCE}/REVISION | cut -f 2 -d " " > ${TMPDIR}/revision

 ${TARGET}/META-INF/MANIFEST.MF: ${TARGET}/META-INF
-       /bin/echo -e "Manifest-Version: 1.0\r\nMain-class: JOSM\r\n\r" > ${TARGET}/META-INF/MANIFEST.MF
+       /bin/echo -e "Manifest-Version: 1.0\r\nMain-class: JOSM\r\nPermissions: all-permissions\r\nCodebase: josm.openstreetmap.de\r\nApplication-Name: JOSM - Java OpenStreetMap Editor\r\n\r" > ${TARGET}/META-INF/MANIFEST.MF

 ${TARGET}/REVISION: ${TARGET} ${SOURCE} ${SOURCE}/REVISION
        cp ${SOURCE}/REVISION $@
Last edited 8 years ago by Don-vip (previous) (diff)

comment:14 Changed 8 years ago by Don-vip

I think the warning is gone now with new latest, can someone confirm ?

We still need a real code signing certificate for upcoming 7u51:

RIAs must contain (...):

  1. Code signatures from a trusted authority. All code for Applets and Web Start applications must be signed (...)

comment:15 Changed 8 years ago by mani100

I get the same warning. Since three weeks, also today (PC-Start JOSM 6383 JAVA 1.7.0_45)

comment:16 Changed 8 years ago by heini24680@…

Me too. Before (6238) and after updating to 6383 today.

comment:17 Changed 8 years ago by Don-vip

Is it the exact same warning, with the mention of missing permissions ? It should not be the case anymore. Please attach a screenshot of the actual warning you get with 6383.

Changed 8 years ago by jfd553

Attachment: JavaWarnings.zip added

Messages for version 6383

comment:18 Changed 8 years ago by jfd553

Last attachment concerns the latest JOSM version (6383) and provides the following

  • Main warning message (javaWarning.png)
  • Usual explanation about run/cancel meanings (MoreInformation.png)
  • Provided certificate details (CertificateDetails.png)

Hope it helps
Daniel

comment:19 Changed 8 years ago by Don-vip

OK so we made some progress, the manifest is fine :) The tricky part now is how to get a free certificate. Dirk, do you think we can request one at Certum ?

comment:20 in reply to:  19 Changed 8 years ago by stoecker

Replying to Don-vip:

OK so we made some progress, the manifest is fine :) The tricky part now is how to get a free certificate. Dirk, do you think we can request one at Certum ?

Try yourself. Should be a java code signing and website certificate. If we have it, installation is easy. I tried the website but was confused after a while.

comment:21 Changed 8 years ago by Don-vip

I'm afraid the free certificate only concerns the code signing, not the website.

comment:22 Changed 8 years ago by pieren

Not sure but this might be related to an older, similar issue for OS-X, no ? See #7904

comment:23 Changed 8 years ago by Don-vip

Almost:

  • Java 7 and 8 will now require a real signed certificate for Webstart, all platforms
  • Apple GatesKeeper requires a real certificate... issued by Apple itself for someone having an Apple developer ID, which costs the sum of $99/year, and there's no way we give a hundred bucks to Apple each year.

So this will not change the situation for OSX users but we want to prevent the majority of our users (Windows/Linux) to see the same thing happening.

FYI the latest stats are:

  • Java Main Version --> 6 (1648, 20.5%) 7 (6391, 79.3%) 8 (16, 0.2%)
  • OS: FreeBSD (5, 0.1%) Linux (1554, 22.4%) Mac (420, 6.1%) OpenBSD (5, 0.1%) SunOS (4, 0.1%) Windows (4937, 71.3%)

comment:24 in reply to:  21 Changed 8 years ago by stoecker

Replying to Don-vip:

I'm afraid the free certificate only concerns the code signing, not the website.

Not nice, but better than nothing. Did you try to get one?

comment:25 Changed 8 years ago by Don-vip

Not really there are several steps where you have to choose incompatible options between those. I am currently near the end of the validation process :)

comment:26 Changed 8 years ago by Don-vip

Resolution: fixed
Status: newclosed

Not so easy, but it's finally fixed !

This answer on StackOverflow helped me a lot: http://stackoverflow.com/a/19502802/2257172

Versions built from r6442 now have a proper certificate, the warning is gone.

comment:27 Changed 8 years ago by bastiK

Great! (Sounds complicated...)

comment:28 in reply to:  26 Changed 8 years ago by stoecker

Not so easy, but it's finally fixed !

For one year...

comment:29 Changed 8 years ago by Don-vip

As far as I understand I need to refresh the certificate each year, yes. It should remain free, answer next year :)

comment:30 Changed 8 years ago by Don-vip

Or maybe we can try to timestamp it

comment:31 in reply to:  30 ; Changed 8 years ago by stoecker

Replying to Don-vip:

Or maybe we can try to timestamp it

?

comment:32 in reply to:  31 Changed 8 years ago by Don-vip

Replying to stoecker:

?

See https://blogs.oracle.com/java-platform-group/entry/signing_code_for_the_long

Certum provides a timestamp authority but I don't know if we can use it with a free certificate. I'll try.

EDIT: It seems to work ! Versions built from r6444 should be timestamped. Answer next year :)

Last edited 8 years ago by Don-vip (previous) (diff)

comment:33 Changed 8 years ago by Don-vip

Confirmed, jar is correctly timestamped according to this blog post from Oracle:

$ jarsigner -verify -verbose -certs josm-snapshot-6456.jar | grep "was signed" | sort -u
      [entry was signed on 12/8/13 3:35 AM]

It should then be accepted after the end of the certificate :)

comment:34 Changed 8 years ago by Don-vip

Milestone: 13.12 (6502)

comment:35 Changed 8 years ago by Don-vip

7u51 has been released.

No warning with this version, the implementation is definitively correct :)

comment:36 Changed 4 years ago by stoecker

Milestone: 13.12 (6502)13.12

Milestone renamed

comment:37 Changed 19 months ago by Don-vip

Component: CoreCore Webstart

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.