Skip to main content

Signing jars for java.net Web Start applications

Posted by kirillcool on May 20, 2005 at 3:22 AM PDT

It's common these days to provide a Web Start version of your application that can run on a machine without the need to download the bundle distribution manually. If your application needs special access privileges, you will need to sign your jar file(s) and then ask user to allow installing this application. Here are the basic steps to do the job.



First, you need to create a key store. For this, run the following command:

keytool -genkey -keystore jaxb.keys -alias https://jaxb-workshop.dev.java.net/ -validity 365

Here, in dark green are the parameters. The first one is the name of the key store. This will be a local file that will hold key pairs. The second one is a symbolic name for your key (that will be created in the key store). The last parameter is a number of days that your key will be valid (90 by default). Follow a simple sequence of steps, and don't forget to write down the password to the key store and to the key itself (in case they are different).

Now, you need to make sure that all jar files in your application that need privileges are signed. Here is how you sign a single file:

jarsigner -keystore jaxb.keys -storepass **** jaxb-api.jar https://jaxb-workshop.dev.java.net/

Here, you provide the name of the key store and its password as the first two parameters, the name of the jar file you want to sign as the third parameter, and the key alias as the fourth parameter. Repeat the above steps for all you jar files.

Now it's time to create a JNLP descriptor file for your Web Start application. Here is a simple file:

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="https://jaxb-workshop.dev.java.net/webstart/" href="wizard.jnlp">
   <information>
      <title>XJC Wizard</title>
      <vendor>https://jaxb-workshop.dev.java.net/</vendor>
      <description>Wizard frontend for XJC generator</description>
      <description kind="short">Wizard frontend for XJC generator</description>
      <offline-allowed/>
   </information>
   <offline-allowed/>
   <security>
      <all-permissions/>
   </security>

   <resources>
      <j2se version="1.5+"/>
      <jar href="jaxbw.jar"/>
      <jar href="substance.jar"/>
      <jar href="jaxb-api.jar"/>
      <jar href="jaxb-impl.jar"/>
      <jar href="jaxb-xjc.jar"/>
      <jar href="jsr173_api.jar"/>
      <jar href="activation.jar"/>
   </resources>
   <application-desc main-class="org.jvnet.jaxbw.xjcfe.wizard.WizardMainFrame"/>
</jnlp>

Note that here we asked for all permissions for our application.

All that is left to do - upload all the jar files and the JNLP file to CVS repository under www and put the JNLP URL in your page. Unfortunately, this is not all. When you will run the above JNLP, you will get the following Web Start exception:

JAR resources in JNLP file are not signed by same certificate

The reason for this is simple - one of the jar files that you are using was already signed by another party. Here is the way to find it:

jarsigner -certs -verbose -verify activation.jar

You will see a long list of certificates (one for each file). This means that this specific jar was signed by another party (Sun in our case). The solution for the problem is simple - put this jar in a separate JNLP and reference it in your main JNLP:

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="https://jaxb-workshop.dev.java.net/webstart/" href="activation.jnlp">
   <information>
      <title>Activation</title>
      <vendor>Sun Microsystems, Inc.</vendor>
      <offline-allowed/>
   </information>
   <offline-allowed/>
   <resources>
      <jar href="activation.jar"/>
   </resources>

   <component-desc/>
</jnlp>

As you can see, we don't ask for permissions, as this specific jar doesn't need them. Then, you reference this activation.jnlp in your main JNLP:

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="https://jaxb-workshop.dev.java.net/webstart/" href="wizard.jnlp">
   <information>
      <title>XJC Wizard</title>
      <vendor>https://jaxb-workshop.dev.java.net/</vendor>
      <description>Wizard frontend for XJC generator</description>
      <description kind="short">Wizard frontend for XJC generator</description>
      <offline-allowed/>
   </information>
   <offline-allowed/>
   <security>
      <all-permissions/>
   </security>
   <resources>
      <j2se version="1.5+"/>
      <jar href="jaxbw.jar"/>
      <jar href="substance.jar"/>
      <jar href="jaxb-api.jar"/>
      <jar href="jaxb-impl.jar"/>
      <jar href="jaxb-xjc.jar"/>
      <jar href="jsr173_api.jar"/>
      <extension name="activation" href="activation.jnlp"/>
   </resources>
   <application-desc main-class="org.jvnet.jaxbw.xjcfe.wizard.WizardMainFrame"/>
</jnlp>
Related Topics >>