#9204 closed enhancement (fixed)
Security warning when starting JOSM with Java 7u45/Webstart
| Reported by: | Owned by: | team | |
|---|---|---|---|
| Priority: | normal | Milestone: | 13.12 |
| Component: | Core Webstart | Version: | tested |
| Keywords: | Security warning java7 webstart | Cc: | stoecker, blackadder |
Description (last modified by )
Since a few weeks i got a security warning when starting JOSM on this computer. Have a look to the screenshots (if it works to append them). Language of screenshots is German because of my system.
It seems that JOSM needs an update in the JAR manifest / certificate.
my system:
OS: Win7 professional 64bit german
JRE: 1.7.0.45
JOSM: 6238 (installed and webstart)
What is the expected result?
starting without security warning (from windows?) as usual
What happens instead?
I alway must accept a security warning:
no problem on another computer with XP instead of win7 64bit but same JRE and JOSM versions.
Please provide any additional information below. Attach a screenshot if
possible.
how can i append a image ???
please tell me a way to upload the 3 png files (each ~50kb)
Repository Root: http://josm.openstreetmap.de/svn Build-Date: 2013-09-20 01:34:27 Last Changed Author: Don-vip Revision: 6238 Repository UUID: 0c6e7542-c601-0410-84e7-c038aed88b3b URL: http://josm.openstreetmap.de/svn/trunk Last Changed Date: 2013-09-20 00:19:19 +0200 (Fri, 20 Sep 2013) Last Changed Rev: 6238 Identification: JOSM/1.5 (6238 de) Windows 7 64-Bit Memory Usage: 116 MB / 247 MB (23 MB allocated, but free) Java version: 1.7.0_45, Oracle Corporation, Java HotSpot(TM) Client VM VM arguments: [-Djava.security.policy=file:C:\Program Files (x86)\Java\jre7\lib\security\javaws.policy, -DtrustProxy=true, -Xverify:remote, -Djnlpx.home=C:\Program Files (x86)\Java\jre7\bin, -Djnlpx.origFilenameArg=C:\Users\katharina\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\21\73111055-443c2a1e, -Djnlpx.remove=false, -Dsun.awt.warmup=true, -Xbootclasspath/a:C:\Program Files (x86)\Java\jre7\lib\javaws.jar;C:\Program Files (x86)\Java\jre7\lib\deploy.jar;C:\Program Files (x86)\Java\jre7\lib\plugin.jar, -Djava.util.Arrays.useLegacyMergeSort=true, -Djnlpx.splashport=49163, -Djnlp.application.href=http://josm.openstreetmap.de/download/josm.jnlp, -Djnlpx.jvm=C:\Program Files (x86)\Java\jre7\bin\javaw.exe, -Djnlpx.vmargs=-Djava.util.Arrays.useLegacyMergeSort=true -Djnlp.application.href=http://josm.openstreetmap.de/download/josm.jnlp] Dataset consistency test: No problems found Plugin: FixAddresses (29854) Plugin: HouseNumberTaggingTool (29854) Plugin: ImportImagePlugin (29854) Plugin: PicLayer (29854) Plugin: RoadSigns (29854) Plugin: buildings_tools (29854) Plugin: continuosDownload (28565) Plugin: geotools (29767) Plugin: jts (29854) Plugin: log4j (29853) Plugin: public_transport (29862) Plugin: terracer (29854) Plugin: utilsplugin2 (29854)
Attachments (3)
Change History (40)
by , 11 years ago
| Attachment: | JOSM_SecurityWwarning.png added |
|---|
comment:1 by , 11 years ago
comment:2 by , 11 years ago
I get the same message on Windows 8. In a second message, it says that the execution of unsigned application is going to be blocked in further releases of Java.
comment:3 by , 10 years ago
Same for me ...
This application will be blocked by a future Java security update ...
3 days ago
win7 ultimate 64bits English
comment:4 by , 10 years ago
| Priority: | normal → blocker |
|---|
follow-up: 7 comment:5 by , 10 years ago
| Cc: | added |
|---|---|
| Keywords: | java7 webstart added |
| Priority: | blocker → normal |
| Summary: | Security warning when starting JOSM (Win7) → Security warning when starting JOSM with Java 7u45/Webstart |
I have added new attributes in manifest for r6341, let us know if it helps (at least the warning should change).
I'm afraid we'll need a real code signing certificate if we still want to support webstart after 7u51:
https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias
I've found this, it looks like both free and real:
http://www.certum.eu/certum/cert,offer_en_open_source_cs.xml
Dirk have you ever heard of them ? Do you think we could try if the certificate becomes mandatory ?
@jfd553: it's no blocker you can launch JOSM using "java -jar" and you won't have this warning.
by , 10 years ago
| Attachment: | javaWarning.png added |
|---|
comment:6 by , 10 years ago
| Description: | modified (diff) |
|---|
follow-up: 8 comment:7 by , 10 years ago
I've found this, it looks like both free and real:
http://www.certum.eu/certum/cert,offer_en_open_source_cs.xml
No never heard of them. Does java support that cert?
comment:8 by , 10 years ago
Replying to stoecker:
http://www.certum.eu/certum/cert,offer_en_open_source_cs.xml
No never heard of them. Does java support that cert?
It looks like. I run this code with 7u45 to obtain a list of trusted root authorities and got this in the results:
[
Version: V3
Subject: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 26092744893411540388438317258341764160018905418774192180361461402945546492948707583714589643328769201904393155780780994321263445492286739050571046485047278224445730006816866350865636157973240396103538865047004997375896846207485818339462748730314324589139001903248420313799088808471167487731903012520818711756111207758440443129213519902224648472814590380826431404715193981495090912212342166176050874035867029053010849803652788304723583414506196102074627643767089334581132335668088700274940771211992108882547541577021918090560727342061536913921276408306839845336869617091852813282878090469195767832490704730892569091417
public exponent: 65537
Validity: [From: Tue Jun 11 12:46:39 CEST 2002,
To: Fri Jun 11 12:46:39 CEST 2027]
Issuer: CN=Certum CA, O=Unizeto Sp. z o.o., C=PL
SerialNumber: [ 010020]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
[
Version: V3
Subject: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: 28780109950673490306254008520204328276680352304439383733735743653646462886506779083416524709916492749727869755468102450312098964017512856684305239866883049173220526992268950171625448530014452579846861673872207817347799260697772899880047206334413446182341903863501835238150844425874207516649188630542180337896204970471783517680273145766364938733181828665205191659435524399874879953552221922241010719973897128144528139240504715660114782516261458207042723887562666304410864358682788652258719904961938284047727152397901800954435650268133633186714947372368516756190094396589909452932697654171757755829242208386287760177481
public exponent: 65537
Validity: [From: Wed Oct 22 14:07:37 CEST 2008,
To: Mon Dec 31 13:07:37 CET 2029]
Issuer: CN=Certum Trusted Network CA, OU=Certum Certification Authority, O=Unizeto Technologies S.A., C=PL
SerialNumber: [ 0444c0]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[2]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 08 76 CD CB 07 FF 24 F6 C5 CD ED BB 90 BC E2 84 .v....$.........
0010: 37 46 75 F7 7Fu.
]
]
]
comment:10 by , 10 years ago
| Cc: | added |
|---|
comment:11 by , 10 years ago
No change till now (r6370). I get the same warning with the latest java and josm.
Holger
comment:12 by , 10 years ago
Even the yellow message has not changed ? I expected it to report missing certificate and not missing permissions.
comment:13 by , 10 years ago
Mmmm yes, the manifest used in signed jars does not contain the changes I introduced in r6341 :(
comment:14 by , 10 years ago
I think the warning is gone now with new latest, can someone confirm ?
We still need a real code signing certificate for upcoming 7u51:
RIAs must contain (...):
- Code signatures from a trusted authority. All code for Applets and Web Start applications must be signed (...)
comment:15 by , 10 years ago
I get the same warning. Since three weeks, also today (PC-Start JOSM 6383 JAVA 1.7.0_45)
comment:17 by , 10 years ago
Is it the exact same warning, with the mention of missing permissions ? It should not be the case anymore. Please attach a screenshot of the actual warning you get with 6383.
comment:18 by , 10 years ago
Last attachment concerns the latest JOSM version (6383) and provides the following
- Main warning message (javaWarning.png)
- Usual explanation about run/cancel meanings (MoreInformation.png)
- Provided certificate details (CertificateDetails.png)
Hope it helps
Daniel
follow-up: 20 comment:19 by , 10 years ago
OK so we made some progress, the manifest is fine :) The tricky part now is how to get a free certificate. Dirk, do you think we can request one at Certum ?
comment:20 by , 10 years ago
Replying to Don-vip:
OK so we made some progress, the manifest is fine :) The tricky part now is how to get a free certificate. Dirk, do you think we can request one at Certum ?
Try yourself. Should be a java code signing and website certificate. If we have it, installation is easy. I tried the website but was confused after a while.
follow-up: 24 comment:21 by , 10 years ago
I'm afraid the free certificate only concerns the code signing, not the website.
comment:22 by , 10 years ago
Not sure but this might be related to an older, similar issue for OS-X, no ? See #7904
comment:23 by , 10 years ago
Almost:
- Java 7 and 8 will now require a real signed certificate for Webstart, all platforms
- Apple GatesKeeper requires a real certificate... issued by Apple itself for someone having an Apple developer ID, which costs the sum of $99/year, and there's no way we give a hundred bucks to Apple each year.
So this will not change the situation for OSX users but we want to prevent the majority of our users (Windows/Linux) to see the same thing happening.
FYI the latest stats are:
- Java Main Version --> 6 (1648, 20.5%) 7 (6391, 79.3%) 8 (16, 0.2%)
- OS: FreeBSD (5, 0.1%) Linux (1554, 22.4%) Mac (420, 6.1%) OpenBSD (5, 0.1%) SunOS (4, 0.1%) Windows (4937, 71.3%)
comment:24 by , 10 years ago
Replying to Don-vip:
I'm afraid the free certificate only concerns the code signing, not the website.
Not nice, but better than nothing. Did you try to get one?
comment:25 by , 10 years ago
Not really there are several steps where you have to choose incompatible options between those. I am currently near the end of the validation process :)
follow-up: 28 comment:26 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Not so easy, but it's finally fixed !
This answer on StackOverflow helped me a lot: http://stackoverflow.com/a/19502802/2257172
Versions built from r6442 now have a proper certificate, the warning is gone.
comment:29 by , 10 years ago
As far as I understand I need to refresh the certificate each year, yes. It should remain free, answer next year :)
follow-up: 32 comment:31 by , 10 years ago
comment:32 by , 10 years ago
Replying to stoecker:
?
See https://blogs.oracle.com/java-platform-group/entry/signing_code_for_the_long
Certum provides a timestamp authority but I don't know if we can use it with a free certificate. I'll try.
EDIT: It seems to work ! Versions built from r6444 should be timestamped. Answer next year :)
comment:33 by , 10 years ago
Confirmed, jar is correctly timestamped according to this blog post from Oracle:
$ jarsigner -verify -verbose -certs josm-snapshot-6456.jar | grep "was signed" | sort -u
[entry was signed on 12/8/13 3:35 AM]
It should then be accepted after the end of the certificate :)
comment:34 by , 10 years ago
| Milestone: | → 13.12 (6502) |
|---|
comment:35 by , 10 years ago
No warning with this version, the implementation is definitively correct :)
comment:37 by , 4 years ago
| Component: | Core → Core Webstart |
|---|
The warning message says:
Java doc on the permissions attribute: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#permissions.