4 Replies Latest reply: Feb 8, 2010 9:43 AM by 843811 RSS

    Signed WS Application: "Digital Signature Cannot be Verified"

    843811
      I have a webstart application. It is signed with a proper certificate. I can verify it with jarsigner. The root CA certificate is in my jre cacerts.

      Of course, when I try to launch it on a client I get the TrustDeciderDialog popping up, saying "The Application's Digital Signature cannot be Verified. Do you want to continue?" (java console output is appended at the end of this message)

      What I find confusing is that when I click on "More Information" I get the following:

      *!* This application will be run without the security restrictions normally provided by Java
      *!* Although the application has a digital signature, the application's associated  file(JNLP) does not have one. A digital signature ensures that a file is from the vendor and that it has not been altered.
      i Caution: "B Robertson" asserts that this application is safe. You should only run this application is you trust "B Robertson" to make that assertion.
      i The digital signature was generated with a trusted certificate

      Is this trying to tell me that the application jar is signed correctly, but the JNLP is not signed? How do you sign a JNLP file?

      Can anyone shed any light on what's going on, or help me with how I might proceed?

      I signed the app with a personal certificate. The app consists of a single executable jar, which is listed in the jnlp file.

      Thanks.

      -----------------------------java console output----------------------------------

      Java Web Start 1.6.0_18
      Using JRE version 1.6.0_18-b07 Java HotSpot(TM) Server VM

      security: Blacklist revocation check is enabled
      security: The jar file isnt on a blacklist
      security: Validating signatures for null http://webserver:9180/mywebapp/launch.jnlp
      security: Empty trusted set for [http://webserver:9180/mywebapp/mywebapp-jar-with-dependencies.jarjnlp]
      security: Round 1 (0 out of 1):http://webserver:9180/mywebapp/mywebapp-jar-with-dependencies.jar
      security: Entry [http://webserver:9180/mywebapp/mywebapp-jar-with-dependencies.jar] is not prevalidated. Revert to full validation of this JAR.
      security: Round 2 (0 out of 1):http://webserver:9180/mywebapp/mywebapp-jar-with-dependencies.jar
      security: Validating cached jar url=http://webserver:9180/mywebapp/mywebapp-jar-with-dependencies.jar ffile=/home/broberts/.java/deployment/cache/6.0/39/3dca67a7-18cf75bc com.sun.deploy.cache.CachedJarFile@1e398a0
      security: Istrusted: null false
      security: Accessing keys and certificate in Mozilla user profile: null
      security: Loading Root CA certificates from /home/broberts/progs/jdk1.6.0_18/jre/lib/security/cacerts
      security: Loaded Root CA certificates from /home/broberts/progs/jdk1.6.0_18/jre/lib/security/cacerts
      security: Loading Deployment certificates from /home/broberts/.java/deployment/security/trusted.certs
      security: Loaded Deployment certificates from /home/broberts/.java/deployment/security/trusted.certs
      security: Loading certificates from Deployment session certificate store
      security: Loaded certificates from Deployment session certificate store
      security: Validate the certificate chain using CertPath API
      security: Obtain certificate collection in Root CA certificate store
      security: Obtain certificate collection in Root CA certificate store
      security: No timestamping info available
      security: Found jurisdiction list file
      security: Start checking trusted extension for this certificate
      security: Start comparing to jurisdiction list with this certificate
      security: The CRL support is disabled
      security: The OCSP support is disabled
      security: Checking if certificate is in Deployment permanent certificate store
      security: Start OCSP End Entity validation check
      security: No OCSP responder URI found
      security: OCSP End Entity validation status is good
      security: Checking if certificate is in Deployment denied certificate store
      security: Checking if certificate is in Deployment permanent certificate store
      security: Checking if certificate is in Deployment session certificate store