Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: JNLP signing requirement.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: JNLP signing requirement.




I'm surprised that nobody else on this list is interested in this problem.   I'm sure I've seen other developers who rely on Java Web Start here.     There's a little discussion on stackoverflow about this, here, but I'll post the gist below if anyone has any ideas:

http://stackoverflow.com/questions/16958130/how-to-sign-dynamic-jnlp-files-for-osx-10-8-4-and-gatekeeper

We've been able to determine that you can sign a jnlp file with codesign, using the "Developer ID Application" Certificate, like this:
codesign -f -s "Developer ID Application: " foo.jnlp

The result from this operation seems to pass Gatekeeper on the local machine. However, it seems like the signature gets stored as extended HFS attributes, and as a result, it is not transmitted if a user fetches the file from a HTTP transaction.

It might work if you took the .jnlp file, and packaged it in some kind of container, like a .dmg or maybe a .tar.gz, however, that's both a lot of work, and it provides a fairly challenging user experience.

Anyone have any idea how one might transport a codesigned jnlp, to a user via HTTP, /without/ the user needing to manually unpack an archive of some sort?

-SteveK


On Jun 5, 2013, at 5:40 PM, Steve Kann <email@hidden> wrote:


Just noticed this tidbit from 10.8.4 -- and have started hearing from some users about it.
  • Note: Starting with OS X v10.8.4, Java Web Start (i.e. JNLP) applications downloaded from the Internet need to be signed with a Developer ID certificate. Gatekeeper will check downloaded Java Web Start applications for a signature and block such applications from launching if they are not properly signed.

Is there more documentation about this requirement available?   Is an Apple Developer ID Certificate required, or will a normal Code Signing certificate (as used to sign .jar files) suffice?

Was there any notice about this on these lists?

-SteveK




 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References: 
 >JNLP signing requirement. (From: Steve Kann <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.