When I run my JNLP it keeps failing with "com.sun.deploy.net.JARSigningException: Found unsigned entry in resource: http://......"

My JNLP is generated on the fly by a class and ends up looking like this at the top:

<jnlp spec="1.0+" codebase="http://myhost.com:8080/webstart" href="jnlp?app=com.mycompany.LaunchWebstart">

I created a very broad ruleset.xml

<ruleset version="1.0+">
  <rule>
    <id />
    <action permission="run" />
  </rule>
</ruleset>

Added it to a jar

jar -cf DeploymentRuleSet.jar ruleset.xml

Signed it with my company keystore

jarsigner DeploymentRuleSet.jar <alias> -keystore <path-to-keystore> -sigfile filesig -storetype <store-type>

Then copied it to

%SYSTEMROOT%\Sun\Java\Deployment

According to the docs I should be able to run without signing my jars so why am I getting this error?

permission - Action taken. The following values are valid:

run - The following types of RIAs are allowed to run without prompts:
    Signed with a valid certificate from a trusted certificate authority
    Signed with an expired certificate
    Self-signed
    Unsigned
    Missing required JAR file manifest attributes

There are ~250(!) so I'd rather not be signing them all the time as it slows down my build process considerably.

Using JRE version 1.7.0_71-b14.

You need to import the certificate under JAVA > Security > Certificates > Signer CA

Will Deployment Rule Sets Allow JNLP To Run Without Signing Jars?

I've never heard of 'Deployment Rule Sets' but if anything allowed an unsigned Jar to run (short of the user manually adjusting the security level in the console), it would be a security bug.

It seems that you're ruleset is invalid. You can check this by opening the Java Control Panel and on the security tab click "View the active Deployment Rule Set".

Leaving out the id is not allowed for permission run. According to Oracle's documentation on Deployment Rule Sets: "To ensure that all RIAs are handled by the rule set, you can provide a final rule that matches any RIA that was not matched by a previous rule. The action for this rule must be either block or default."

To allow an unsigned application you should list it's location. You should also change the jnlp file's href attribute to include the same location. I have tried this for our application but I am unfortunately still getting the error "Found unsigned entry in resource...". According to replies on this bug report it should work though...