I'm working with legacy code where the login is performed through an applet (as I've commented it is legacy code ;D). We've been working with several JRE versions (1.6.0_29, 30 and 43) and all have been working without any problem. But the customer has requested to use the 1.6.0_45 JRE version. From that moment, when the login applet is going to be executed, the user is displayed the alert message which is shown in this link.
The JAR behind the Applet is signed with a certificate from a CA, and the verification of that JAR gives the following result:
636 Tue May 14 15:57:56 CEST 2013 META-INF/MANIFEST.MF
702 Wed May 15 09:45:38 CEST 2013 META-INF/Cert.SF
4669 Wed May 15 09:45:38 CEST 2013 META-INF/Cert.RSA
0 Tue May 14 15:57:58 CEST 2013 META-INF/
0 Tue May 14 15:57:58 CEST 2013 META-INF/maven/
0 Tue May 14 15:57:58 CEST 2013 META-INF/maven/folder0/
0 Tue May 14 15:57:58 CEST 2013 META-INF/maven/folder0/folder1/
smk 2829 Tue Jul 03 14:02:34 CEST 2012 META-INF/maven/folder0/folder1/pom.xml
X.509, CN=AAA, OU=BBB, O=CCC, L=DDD, ST=EEE, C=EN (alias)
[certificate is valid from 11/11/12 1:00 to 14/01/14 0:59]
X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
[certificate is valid from 8/02/10 1:00 to 8/02/20 0:59]
[KeyUsage extension does not support code signing]
X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
[certificate is valid from 17/11/06 1:00 to 31/12/20 0:59]
[KeyUsage extension does not support code signing]
X.509, EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
[certificate is valid from 1/08/96 2:00 to 2/01/21 0:59]
smk 120 Tue May 14 15:57:58 CEST 2013 META-INF/maven/folder0/folder1/pom.properties
X.509, CN=AAA, OU=BBB, O=CCC, L=DDD, ST=EEE, C=EN (alias)
[certificate is valid from 11/11/12 1:00 to 14/01/14 0:59]
X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
[certificate is valid from 8/02/10 1:00 to 8/02/20 0:59]
[KeyUsage extension does not support code signing]
X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
[certificate is valid from 17/11/06 1:00 to 31/12/20 0:59]
[KeyUsage extension does not support code signing]
X.509, EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
[certificate is valid from 1/08/96 2:00 to 2/01/21 0:59]
0 Tue May 14 15:57:58 CEST 2013 folder2/
0 Tue May 14 15:57:58 CEST 2013 folder2/generalRequirements/
0 Tue May 14 15:57:58 CEST 2013 folder2/generalRequirements/accessControl/
0 Tue May 14 15:57:58 CEST 2013 folder2/generalRequirements/accessControl/passwordManagement/
0 Tue May 14 15:57:58 CEST 2013 folder2/generalRequirements/accessControl/passwordManagement/applt/
0 Tue May 14 15:57:58 CEST 2013 folder2/utils/
smk 4811 Tue May 14 15:57:58 CEST 2013 folder2/generalRequirements/accessControl/passwordManagement/applt/pwapplt.class
X.509, CN=AAA, OU=BBB, O=CCC, L=DDD, ST=EEE, C=EN (alias)
[certificate is valid from 11/11/12 1:00 to 14/01/14 0:59]
X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
[certificate is valid from 8/02/10 1:00 to 8/02/20 0:59]
[KeyUsage extension does not support code signing]
X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
[certificate is valid from 17/11/06 1:00 to 31/12/20 0:59]
[KeyUsage extension does not support code signing]
X.509, EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
[certificate is valid from 1/08/96 2:00 to 2/01/21 0:59]
smk 2185 Tue May 14 15:57:58 CEST 2013 folder2/utils/MyCrypter.class
X.509, CN=AAA, OU=BBB, O=CCC, L=DDD, ST=EEE, C=EN (alias)
[certificate is valid from 11/11/12 1:00 to 14/01/14 0:59]
X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
[certificate is valid from 8/02/10 1:00 to 8/02/20 0:59]
[KeyUsage extension does not support code signing]
X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
[certificate is valid from 17/11/06 1:00 to 31/12/20 0:59]
[KeyUsage extension does not support code signing]
X.509, EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
[certificate is valid from 1/08/96 2:00 to 2/01/21 0:59]
smk 630 Tue May 14 15:57:58 CEST 2013 folder2/utils/MySecurityManager.class
X.509, CN=AAA, OU=BBB, O=CCC, L=DDD, ST=EEE, C=EN (alias)
[certificate is valid from 11/11/12 1:00 to 14/01/14 0:59]
X.509, CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
[certificate is valid from 8/02/10 1:00 to 8/02/20 0:59]
[KeyUsage extension does not support code signing]
X.509, CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US
[certificate is valid from 17/11/06 1:00 to 31/12/20 0:59]
[KeyUsage extension does not support code signing]
X.509, EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
[certificate is valid from 1/08/96 2:00 to 2/01/21 0:59]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
In this other thread I've seen that the MANIFEST.MF is also signed, but in my JAR it is not. Could it be the reason why the user obtain the warning message? Why the MANIFEST.MF file could not be being signed?
If the above is not the problem, this is, if the JAR is correctly signed and all its significant content is signed as well, why the JRE is displaying the warning message to indicate that the application contains both signed and unsigned code?
I know that I can use the Trusted-Library attribute in the JARs manifests to avoid that message, but I would like to know what is provoking that it is displayed.
Any idea? Any contribution will be appreciated.
Thank you so much in advance!
