I have a small javafx2 application that is used in the office. Some guys run it from Firefox, some run it as a desktop app. Webstart is great.
The current approach is that I have added this to the jnlp file:
<security>
<all-permissions/>
</security>
Then created a key in a keystore using the keytool:
keytool -genkey -keystore yourKeystore -alias keyname
And I sign all jar files that are to be on the user's PC using jarsigner:
jarsigner -keystore ./myapp.keystore -storepass xxx -keypass yyy <path to jar file> keyname
So the user either starts the app using the shortcut file (the jnlp file) on their desktop, or they browse to the app in Firefox. This works great, except nowadays we get this dialog that says:
Running applications by UNKNOWN publishers will be blocked in a future release
and I am worried about what will happen when that future release is out.
I do not have a deep understanding about all this code signing thing. I know that it works by embedding some binary data into files that is used to prove that the releaser of the app is a company/individual that is recognized by the Certificate Authority (and this is what jarsigner does AFAIK). Certificates are recognized by OSes like Windows and Linux, by webbrowsers like Firefox and Safari and Java also recognizes certificates at 2 levels, user and system. There are widely accepted Certificate Authorities (like Verisign) that are recognized by default in OSes like Windows and Linux. I know that webbrowsers also recognize some Certificate Authorities, but I think the list they recognize can be different from the list the OS recognizes. I guess Java also recognizes some but I do not know what. I also know that I can have system level configured keystores in Java by specifying the keystore in ~/.java/deployment/deployment.properties, deployment.system.security.trusted.certs. If I do not want to pay for a certificate, I can create my own (this is what I was doing) so my certificate is from an UNKNOWN publisher. What I was hoping for that if I specify my keystore via deployment.system.security.trusted.certs then it will solve this problem for the office but apparently it does not, which I do not understand because in this case the system administrator says that he recognizes this certificate. So now I am thinking about making a certificate using makecert in windows which can then be pushed down to client PCs via GPO. My understanding is that this will create certificates that are recognized by the OS, but I do not know if makecert made certificates would be treated the same way as e.g. verisign certificates in Windows, in Firefox and also in Java. And I do not know if UNKNOWN refers to a list within java or it refers to the fact that the Certificate Authority is not recognized by the OS.
My questions:
- If someone could fix the mistakes I made in the above description I would appreciate it. I believe I am misunderstanding something, but I do not know what.
- I just cannot believe that Webstart won't work unless we pay for a certificate. I guess what we need is a mechanism that a sysadmin can say that he wants the office PCs to recognize a given certificate. Does anyone have an idea how to do this in the future?
- If we have to purchase a certificate, could someone please let me know what to watch out for or how that works in general? Can I use jarsigner the same way?
- If we have to purchase a certificate, is there a list of Certificate Authorities out there that we can pick from? Obviously I want to go for the cheapest as I find this an administrative overhead.
Thank you for your help.