I am downloading a java web start app from the web, and using the jnlp file to run it in my MAC OS. But the application does not start and gives me the following error.
Now, I have read a lot about this error here and how to sign the application here and other places. Plus I have read about the security update which started this error here.
All these articles and answers give the impression that this error can only occur due to the application being from an unidentified developer.
I just wanted to confirm whether that is the case, or can there be some other reason behind this, like expired code signing cert, or a self signed cert?
If there can be multiple reasons for this error, how to find out which one it is?
Related
I've been quite happily signing my jar files for a year or so and had no issues whatsoever, but very recently I have noticed that I'm getting the warning below.
Now, nothing has changed, I'm not creating anything different, my certificate is valid, I'm signing in exact same way, same JDK and same JRE and I'm uploading to the same location and so on so kind of hitting a wall.
I've tried running from a different computer, different OS and JRE, all with same outcome.
What I have also noted though and find this particularly strange, is that even if I add a site exception, I still get the same error.
Are there any logs or can such logging be enabled to find out exactly why the applications are not being allowed to run?
My issue was caused by mismatched information in the manifest file inside the jar and the jnlp file, my own oversight as it happens. The CODEBASE and PERMISSIONS differed, not quite sure how that happened but guess it makes sense for java security to not allow such an application to run with said differing information.
I have created a Java applet which uses DLL file included in JSSC library for communication with COM port.
When I run the applet I get security warning saying that application will run with unrestricted access and that information is unreliable or unknown source. Exactly it says:
This application will run with unrestricted access which may put your computer and personal information at risk. The information provided is unreliable or unknown so it is recommended not to run this application unless you are familiar with its source.
And to run I have to click that I accept the risk. This confirming is tiring especially if the applet is run approximately once at 2 min.
I wonder if it is possible to get rid of this confirm dialog by signing this applet with Code Signing Certificate from reliable source.
I have a java applet that does digital signing of documents. The applet is used in two separate web applications and works fine in both of them.
However following strange thing happens:
When I use the java console for debugging purposes and:
I open the applet in System A, sign a document and close (no errors);
I close the java console;
I try to sign a document with the exact same applet in system B and it throws an exception (NPE, the extracted certificate from the signature is null).
Using the applet only in system B runs normally without any errors and even more: if I repeat the exact same steps described above but without closing the console the whole thing runs as expected without any error.
What could cause such a behavior?
Since the notification mechanism seems broken to me, I ask the question here:
Q: For your signing do you use smart cards (so is some kind of hardware attached) or is everything plain software?
A: I indeed use a issued by an verified authority digital signature (which is a certificate installed on an USB drive)
Q: How does the communication with that device work - does it use JNA or JNI directly? Or is it a normal "file drive" usb? (Note you can find out if you e.g. search for jna.jar or jna*.jar)
A: No I don't use JNA/JNI. I use a normal "file drive" usb. The issue is not critical because most client won't use java console anyways
Q: Can you put your certificate on your local hard disk or "into" the Applet.jar and load it from there? Does the problem persist?
A: ?
I have created a jar and added trusted security certificate to it. This works good till Java 7 Update 21+ pops up.
From the update I see the warning message "The application contains both signed and unsigned code".
I have seen so many queries on the same problem posted here but my bad that nothing helped me.
After some random search I have seen the link,
http://www.oracle.com/technetwork/java/javase/tech/java-code-signing-1915323.html
and
http://bugs.sun.com/view_bug.do?bug_id=8016771
Explains to create index.list to jar first and then add certificate to it. Still I get the same error.
I have also seen that 'Trusted-Library' kind of things to be added in MF file. But this is going to be a security vulnerable.
Any help guys...
When i'm/others is running the JAR or the converted JAR to an EXE on they computer, they get an Malware virus message, from they antivirus program, saying the file is dangerous.
What is it, that is casuing such a problem with JARs in generel? Is there a fix for it? I have searched through google now, and i can't seem to find a solution.
The program im using to convert is JarSplice (http://ninjacave.com/jarsplice)
It's nothing dangerous java code, it's just a plain hello world application.
I'm trying to run it on a Windows machine. I've tested it on a few other Windows pcs and they are saying the exact same. Dangerous!
There could be many different reasons for this, but on Windows the most common reason is that the Jar/Exe isn't properly signed.
I would also say that probably your program is matching a signature from a known virus by some unfortunate coincidence. However a Hello World program is not likely for this to occur.