I'm trying to load a signed jar with an unsigned library through Webstart. However I get a "attempt to open sandboxed jar as Trusted-Library" error. I removed the all permissions setting from my jnlp file, if let it there (which I prefer not to), I get a classnotdefined exception for my library. I'm using Netbeans to sign my jar with Trusted Library setting. Would it work if I signed the library (which is not mine, but GPL'ed)?

All is working locally, btw, just not from Webstart. Thanks, Kaj

The manifest file:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.8.2
Trusted-Library: true
X-COMMENT: Main-Class will be added automatically by build
Class-Path: lib/tools.jar
Created-By: 1.7.0-b147 (Oracle Corporation)
Main-Class: customcompile.CustomCompile

Name: customcompile/Source.class
SHA-256-Digest: WFa1FC4Q07sE3S9XxmUSEpgUKjvjYo81urGSiiLNBYY=

Name: customcompile/Output.class
SHA-256-Digest: Sc8oRhAcYYrEtWY5iA56bNKx4EuHQHgFfHmXRSYV474=

Name: customcompile/CustomCompile.class
SHA-256-Digest: WYmy6ny6BU6sYFqJCwxSUPsbTWbpvBuPurYuwnZR5sM=

Name: customcompile/MemoryClassLoader.class
SHA-256-Digest: 0bUNmC+gI7dkGFzEmDvAqdOv15UmHOQS8dDVi9FxGFU=

Name: META-INF/INDEX.LIST
SHA-256-Digest: komZP7Un7Uyi8XTq+HvpbZtNF5cfPC8TmGiPBfcO3qk=

Name: customcompile/MemoryFileManager.class
SHA-256-Digest: GorTXt3N3GZ2kUHry7qBfAOgUuYvhWHE3S+SGEjzR7k=

I found some info on the subject as well ( http://download.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html ): at the bottom one finds a Q&A about mixed code, suggesting setting a lazy mode on the library, which did not do anything for me.

You should be able to find answers in Mixing Signed and Unsigned Code. See especially Deploying Signed Applications and Applets Securely Without a Mixed Code Warning.

Note that manifest above has..

..
Trusted-Library: true
X-COMMENT: Main-Class will be added automatically by build
Trusted-Only: true
..

It should be one or the other of Trusted-Library or Trusted-Only (AFAIU). In this case it should be Trusted-Library.