2

Our Java application has a function which outputs a Java applet which can be uploaded to our online repository. Recently we have been having trouble with Oracle security updates which require applets to be codesigned unless Java security settings are lowered on the client's machine.

To fix this we are trying to codesign the applets server side when they are uploaded but I have run into some trouble. The codeisiging seems to work fine with a command like this (using a certificate from Digicert):

jarsigner -tsa http://timestamp.digicert.com -keystore ./keystore.jks -storepass pass /path/to/jar alias

But we still get an error that says: 

This application contains both signed and unsigned code'

I believe this is occurring because the Java application outputs applets that contain a main jar file and then a few .class files. Is there anyway to avoid this error without getting rid of the .class files? We currently want to fix this without having to make any changes to the Java application that outputs that applets.

Mike2012
  • 7,629
  • 15
  • 84
  • 135

1 Answers1

4

You can only sign JAR files, not loose class files. Class files themselves do not have a place to put the signature information and it would be highly redundant if they did. In a JAR file, the signature hashes go into the MANIFEST and public keys appear in the relevant RSA or DSA files. You will want to do one of the following:

  • Recommended: Package all classes into signed JAR files. You can sign components too, signing means distributed-by not authored-by.
  • Have individual users add your applet location to their Exception Site List.
  • Have a company's system administrator add your applet location (or certificate hash) to their Deployment Rule Set.
Costlow
  • 575
  • 3
  • 9