Java Applet is signed by Comodo and looks fine. It starts as per picture:
I am not allowed to post pictures so I will try to describe it. The Java Applet starts and it says, "the publisher name is verified and the digital signature for this application was generated with a certificate from a trusted authority"
but when I press on "run" the following is popped up straight away:
"The publisher name is unknown. There is no digital signature for this application."
and the security warning as per picture above pops up all the time the applet is accessed / started. I tried cleaning Java cache and browsers' cache but no joy. I also tried re-installing Java completely to make it thoroughly clean "vanilla" but no dice either. The certificates are not expired, their validity is up to March 2016. I even tried importing the certs into Java's keystore but it did not help. Java is version 8 update 45 (build 1.8.0_45-b15) and it's run on Windows 8. Could anybody suggest anything, please as I am completely lost... Many thanks in advance!
In other words in order to get to the applet I have to click through the warning each time the applet is accessed..
Related
I would really like to know if it is even possible to run a self-signed java applet in Java 8. I have tried everything possible except buying a certificate and I my self-signed applet gets blocked every time. I can only just make it accessible if I add an exception in Java Security Settings but Ive never had to do that for anything else and what user is actually going to go to that much trouble. Im using applets because I want to embed a DosBox on my site... But Im beginning to think that Java 8 just can't do self-signed applets, period.
Can anyone else manage to get their self signed applet through security? I'm about to lose my mind with this to be honest.
Self-signed certificates are not trusted, by definition. You have two choices:
Buy a code signing certificate.
Have the user adjust his Java Security Settings, or trust the publisher via the popup dialog.
This is how the system is designed and intended to work. It's been that way for 20 years.
With the Java 8 security update, uploading a java application onto a webpage has been a nightmare. Self-signing is no longer a valid option (as it appears to me). I have recently bought a GeoTrust RapidSSL certificate in hopes that the website will be secured enough for Java not to block the application, but hasn't been like that (its been so confusing all-round).
My webhost setup the ssl so its there, website uses https. But the second area needs to be configured (I'm thinking by me), it wants me to choose the 'Web Server Type' which I believe its CPanel & WHM and underneath 'CSR' (image: http://postimg.org/image/jdnjjt6gr/).
Now I use Eclipse, and I installed this Keytool plugin (link: http://marketplace.eclipse.org/content/keytool) which allows me to create a keystore & csr (I really have no idea what a keystore, keytool, csr and jks are; I tried to study them on docs and available websites but its just all confusing). When i tried to create a simple one it gave me a bunch of numbers which Im presuming is encrypted with a Begin and a End on its borders (top and bottom).
I'm really confused on what I need to do, I just want to get my application running - I'm just really annoyed by this security block. What can I do? or What am I supposed to do? & Could anyone briefly explain what keystore, keytool, csr and jks are briefly?
Thanks in advance. If you could simplify things and/or give examples, that would be extremely helpful.
I'm deploying an application using JAWS, and it worked until late 2013 when I got a warning, and then this morning Java completely blocked it. The message in French is:
Application bloquée par les paramètres de sécurité
Vos paramètres de sécurité ont bloqué l'exécution d'une application auto-signée avec une version obsolete ou arrivée à expiration de Java.
which would translate roughly as:
Application blocked by the security settings
Your security settings have blocked from running an application that has been self-signed with an obsolete or outdated Java.
The grammar is not that clear, the end of the sentence could be read as either:
...blocked a self-signed application from running with an obsolete or outdated Java [runtime], meaning that the local runtime is too old, but the self-signature is fine
...blocked an application that has been self-signed with an obsolete or outdated Java [compiler], meaning that the Java compiler used is too old
I searched online for the exact same message in English, but I couldn't find it. So the grammar is still unclear. Note that on the message there is no Name: xyz / From: http://url/, there's only the text I typed above, and a blue "i" icon.
Now, I don't really understand the exact meaning of this error message, but I know that there is an issue because my JAR files are all self-signed. I have already faced this on other Windows clients, and it was easy:
I extracted a .cer certificate from my keystore;
Downloaded it on the client machine, open it;
Made the customers install it as a trusted source on their local machine.
It worked like a charm on my test setup and for one customer, but another one still has the issue and cannot run my software.
This is a big issue from me, and I don't know what to do. Should I upgrade my Java compiler, recompile everything, sign every JAR file again and cross fingers? How can I make that Windows box trust my certificate and let the Java application run?
Just Go To *Startmenu >>Java >>Configure Java >> Security >> Edit site list >> copy and paste your Link with problem >> OK
Problem fixed :)*
SERIOUS DISCLAIMER
This solution has a serious security flaw. Please use at your own risk.
Have a look at the comments on this post, and look at all the answers to this question.
OK, I had to go to the customer premises and found a solution. I:
Exported the keystore that holds the signing keys in PKCS #12 format
Opened control panel Java -> Security tab
Clicked Manage certificates
Imported this new keystore as a secure site CA
Then I opened the JAWS application without any warning. This is a little bit cumbersome, but much cheaper than buying a signed certificate!
I was having the same issue. So I went to the Java options through Control Panel. Copied the web address that I was having an issue with to the exceptions and it was fixed.
I had the same problem, but i solved it from Java Control Panel-->Security-->SecurityLevel:MEDIUM.
Just so, no Manage certificates, imports ,exports etc..
With the new release of OS X 10.8, the Gatekeeper will popup the following warning, when you try to start a signed Java applet:
The applet has been signed with a valid code signing certificate and will work correctly on other platforms as well as previous versions of OS X. If I change "Allow applications downloaded from:" to "Anywhere", it works correctly.
As far as I can figure out "The digital signature could not be verified", actually means something like "the signature has not been made with a Mac Developer ID".
So: Can I sign Java applets with a Mac Developer ID? Can I sign it with both a Mac Developer ID and a standard code signing certificate? Is there a better approach?
Here's the answer that I got from Apple Developer Technical Support:
Thank you for your patience while we investigated this.
The alert is presented by Java, not by Gatekeeper. However, you're
correct that the verification logic was changed on OS X Mountain Lion.
For a while now, users have been presented with this alert when
running a signed applet, because signed applets can escape the Java
sandbox and make unexpected changes to the user's system. Users have
the option to check the "Allow all applets from " box if
they trust the developer and thus they won't see the alert again
unless they remove the item from the Java Security preferences.
What's changed in Mountain Lion is that the verification alert now
basically means that the applet's signature is valid, but the applet
is from an unidentified developer and is trying to escalate privileges
when Gatekeeper is enabled and the user has to decide whether to allow
that.
"Unidentified developer" means a source other than the Mac App Store
or a Developer ID-identified developer. Note that Java applets cannot
participate in the Developer ID program.
If Gatekeeper is set to trust only Mac App Store apps, then you will
not be able to add the applet to the trusted list unless you add the
applet's certificate to the keychain using the sheet that appears
after clicking Show Details.
Unsigned applets are not allowed to escape the Java sandbox at all.
This is consistent with Gatekeeper's treatment of native Mac apps;
apps from unidentified developers are not allowed to run by default.
If you'd like to see the wording of the alert changed, please file a
bug report at https://developer.apple.com/bugreporter.
This basically means that there is no way to sign the applet in such a way that you can avoid this message to be shown. I filed a bug report to Apple saying that I want the wording of the message to be changed not to contain words like UNIDENTIFIED, UNVERIFIED, INSECURE... because that's the whole point of signing the applets, so that the users can feel all warm and cosy inside when they need to allow the applet to run, to assure them that what they are about to allow is OK and verified and it won't do any harm to their computer, and we need to show it on a place where it will be visible, to poke their eyes with it.
You answered your own question.
Gatekeeper considers that certificates / signatures not issued by Apple are not trusted.
Apple Documentation will tell you how to export your certificate. You can then use it as usual.
The codesign command may also do the trick.
I have developed an applet. But when my browser fetches it from the webserver it pops a security warring. I don't want this message to come. Meaning applet should run without the end users permession. How can I do that? Do I need to get my applet signed? If yes, from where can i get it signed? What's the cost of geting it signed?
Your description might relate to a number of problems, such as the code trying to do things which require trust. That does not sound like the case in this instance. If your unsigned code tried to do things that required trust, it would not prompt the user at start-up, but either prompt them when the trusted action is attempted (e.g. for cross site access in later JREs) or just fail with an AccessControlException or similar.
It could be that your applet uses multiple Jars and has run into the mixed code restrictions introduced in Java 1.6.0_20. But the symptoms do not sound quite right for that either.
Is your applet publicly available? What is the URL where I/we can visit it?
As an aside, if your applet tries to break out of the security sand-box, it must be trusted. That means the code must be digitally signed, and OK'd by the end user at the prompt. There is no way around it.
But it does not require a code signing certificate issued from a CA. You can roll your own code signing certificate using the tools of the SDK. I have a few small demos. of code projects that compile and build code before signing it.
You need to get yourself a code-signing certificate. Probably by some "well-known" CA if you want to avoid all warnings. The certificate itself costs money, but once you have it, you can use it to sign as many applets as you want (you do the signing yourself).