This content has been marked as final. Show 3 replies
1 person found this helpful
990382 wrote:It depends on what your application is doing, but in the majority of cases the answer is "yes". Certain actions are prohibited for embedded applications unless they specifically request permissions for them, and to do so the application needs to be signed. Examples of these actions are reading and writing to the file system, or some actions with multithreading. Another important example is suppressing access checks in order to manipulate inaccessible (usually private) fields or invoke inaccessible methods by reflection. Injection of FXML-defined objects into a controller relies on being able to do this. So in short, an application that uses FXML will almost always need to be signed.
I have two questions regarding signing of a JavaFX application:
1. In the documentation I read that there is no need to sign an application. But when I try to run a sample application (without any need of special security) in a web browser, I get a runtime error if I don't sign the application before. Is it necessary to sign a JavaFX application if it is intended to run in the browser?
2. I am signing my JavaFX application with the corresponding Ant-Task. So far I created a keystore a self signed certificate and it works.You need to import the commercial certificate into the keystore. I've never needed to do this (at least, not yet), but there is some documentation on how to do so [url http://docs.oracle.com/javase/tutorial/security/toolsign/signer.html]here. The optional step (between steps 3 and 4) is the one of interest to you.
Is it possible to use a commercial certificate I use for an apache webserver and how? I could not find any information concerning this topic.
Thanks in advance!
Don't use a web server certificate. Use a code signing certificate:
See these related threads:1 person found this helpful
Re: In need of opinion - desktop shortcut, security warning. "Security Warning"
Signed Jars "Signed Jars"
http://docs.oracle.com/javafx/2/deployment/packaging.htm#BABJGFBH "Sign the JAR Files"
Oracle don't even bother signing their jars with an Oracle certificate. The Oracle JavaFX samples are just self signed.
It has been a long time since somebody has asked about signing which tells me either signing is simple enough that no questions need to be asked or people are not signing their apps with a code signing certificate. My guess is that it is the latter.