2

I have an old java web application. The client machines are accessing this app using JRE 6, but I need to migrate those to JRE 8. After installing JRE 8 on client side (windows), when I run the app for the first time I get security warning message related to a file called jacob.jar: The publisher name is unverified and therefore listed as UNKNOWN...

I can tick checkbox and click Run, and after that the warning does not appear in that browser session, but how to get rid of the warning message completely, so that it will not appear even on first launch in session?

Things I tried

Added Permissions, Codebase and Application-Name attributes to MANIFEST.MF and made my own certificate:

keytool -genkey -alias webutil2 -keystore example.keystore
<Entering data is omitted>
keytool -export -keystore example.keystore -alias webutil2 -file cert3.csr

Signed jacob.jar manually using my self-made certificate:

> sign_webutil.bat jacob.jar
Signature verified OK    jarsigner -verify jacob.jar    jar verified.
Warning:    This jar contains entries whose certificate chain is not validated.    This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after    the signer certificate's expiration date (2017-05-14) or after any    future revocation date.
Re-run with the -verbose and -certs options for more details.

I also added my certificate to Signer CA list and confirmed that was added through Control Panel > Java > Security > Manage Certificates > System:

C:\Program Files\Java\jre1.8.0_66\lib\security> keytool -import -trustcacerts -alias root -file cert3.csr -keystore cacerts
  • Added URL to exception list in Java Control Panel
  • Added URL in Compatibility View settings and Pop-up Blocker settings (+ IE restart)

but the warning still appears after I reset warning prompts from Java control panel.

Community
  • 1
  • 1
Pavel
  • 318
  • 3
  • 13

1 Answers1

1

You will need an official certificate, instead of a self-signed one. Also, the certificate must be one that allows software to be signed; please keep in mind that those tend to be way more expensive than the ones made for websites or email.

Edit: this post also suggests that adding your own custom CA to Java's own certificate path may also be a viable alternative.

Community
  • 1
  • 1
Haroldo_OK
  • 6,612
  • 3
  • 43
  • 80
  • 1
    I solved it by making custom certificates. The high level steps were: Make self-signed CA keypair with CRL location; Make code signing keypair; Make CSR for code signing cert; Approve CSR using CA; Generate empty CRL using CA certificate and put it to CRL location; Then files are ready. Import CA certificate to client machine (file `cacerts` in `java home/lib/security`). After that, the code signing key pair can be used to sign jars. The client machine does not give warning messages before each session. Only one info message where you tick the checkbox once, and it will not appear anymore. – Pavel Jul 07 '16 at 19:14