With recent changes in Java 7s security checks, I am updating our webstart application so that it starts without warning.
There are several jar files in our webstart application, only some of which are developed by us, we use several third-party jar files (log4j, swingx, ...)
In our previous setup, we used a self-signed certificate with which we signed all the jar files. Now we have acquired a signature certificate from the corresponding CA.
The steps that I have done so far are:
- Unzip the jar files
- Remove old certificates (remove * .DSA * .SF * .RSA and hashes from the manifest) from all jar files
- Service Pack Files
- Add permission attributes, code, application attribute to the jar file that contains our main class.
- Sign of jar files with new key
Running this in webstart on a machine with Java 7 u45 does not give a warning dialog box, which is great.
However, looking in the java console, I see that it warns about the shortcomings of the Permission, Codebase, Application-Name attributes for all jar other jar files. Should I also add these attributes to every jar file?
Itβs not easy for me to repack third-party jar files, but now adding manifest attributes also makes me feel like I missed something.
So, change manifests or something else? Thank you and merry christmas
Edit: Thanks for the helpful answers, I just wanted to update this with some details of the solution I implemented.
, jar, .
- jar
- *.DSA *.RSA *.SF META-INF
- META-INF/MANIFEST.MF, - SHA-256-
- SHA1-
-
- Codebase
-
- META-INF/MANIFEST.MF
- : all-permissions
- Codebase: *
- : MY APP NAME
- , MANIFEST.MF (dos2unix)
- jar ,
- jar
,