Generating jar file for tests with Java Web Start

[wiktorn]

To debug #11298 I'd like to check, how JOSM behaves when started by Java Web Start:

1. I create josm-custom.jar using ant dist
2. I put jnlp (attached) and jar file in c:\josm
3. When I start jnlp, I get following exception

   com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: file:/c|/josm/josm-custom.jar
   

4. So I try to sign the jar. Fist I generate the key for signature (with a little help from ​http://docs.oracle.com/cd/E19798-01/821-1751/ghlgv/index.html):

"c:\Program Files\Java\jdk1.7.0_76\bin\keytool.exe" -genkey -alias signature -keyalg RSA -keystore josm.jks

5. Then I sign the jar using the command:

{{{"c:\Program Files\Java\jdk1.7.0_76\bin\jarsigner.exe" -keystore josm.jks -verbose josm-custom.jar signature
(...)

jar signed.

Warning:
The signer certificate will expire within six months.
No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2015-07-09) or after any future revocation date.}}}

6. I start Java Web Start again, and then I get "Application blocked by Java Security"

7. Adding ​file:/// as exception in Java Configuration Security Panel doesn't help. When I host the jar on remote ​http:// url, it also doesn't help

[wiktorn]

JNLP file

[stoecker]

Either you need to import your local key into Java or you need to get a officially accepted signing key. We have one on the server, but that's not freely available, as you can think :-)

Rules got more strict over the time, don't know how you can setup local exceptions or if this is possible at all anymore.

[stoecker]

@bastiK:

As it seems you caused this ticket. If you know how, you probably should document the necessary steps in wiki.

[bastiK]

I wasn't aware wiktorn is trying to run development builds as webstart. (Thought there are issues with what we ship.)

It would be nice to help Wiktor to investigate this caching issue with webstart as it seems to have rather big implications. Personally, I have little to no experience with jar signing, so if you or Vincent could give some pointers, this would be appreciated.

[Don-vip]

Please try https://josm.openstreetmap.de/download/josm-latest-debug.jnlp

[wiktorn]

Replying to Don-vip:

Please try https://josm.openstreetmap.de/download/josm-latest-debug.jnlp

Thank you, but I wanted to change a bit of code, to see what difference in behaviour I'll get.

Replying to stoecker:

Either you need to import your local key into Java or you need to get a officially accepted signing key. We have one on the server, but that's not freely available, as you can think :-)

I tried importing my key into cacerts (might be good material for wiki entry):

1. Export the key:

"c:\Program Files\Java\jre8\bin\keytool.exe" -exportcert -keystore josm.jks -file sign.crt -alias signature

2. Import the key into cacerts of default JRE (needs to have Admin/root rights):

"c:\Program Files\Java\jre8\bin\keytool.exe" -importcert -keystore "c:\Program Files\java\jre8\lib\security\cacerts" -file sign.crt -trustcacerts -storepass changeit

(changeit is defautl store password for Java)

But still - I get an exception that jar is not secured.

Though jarsigner also complains, even if I use local keystore:

C:\josm>"c:\Program Files\Java\jdk1.7.0_76\bin\jarsigner.exe" -verify josm-custom.jar -certs josm.jks
jar verified.

Warning:
This jar contains entries whose certificate chain is not validated.
This jar contains signed entries which are not signed by the specified alias(es).
This jar contains entries whose signer certificate will expire within six months.
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2015-07-09) or after any
 future revocation date.

Re-run with the -verbose and -certs options for more details.

So this might be an clue, how to proceed with that further.