Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: JNLP signing requirement.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: JNLP signing requirement.



On Jun 11, 2013, at 11:54 PM, Andrew Herron wrote:


On Tuesday, 11 June 2013 at 8:25 PM, Michael Hall wrote:

On Jun 10, 2013, at 8:20 AM, Steve Kann wrote:
Are you talking about java 6 or 7?
This actually has nothing to do with Java itself, technically. From what I can see gatekeeper blocking is done at the application launch layer, so before the OS even attempts to launch the JNLP (regardless of the Java version) it requires a valid signature.


On Jun 10, 2013, at 8:20 AM, Steve Kann wrote:

We've been able to determine that you can sign a jnlp file with codesign, using the "Developer ID Application" Certificate, like this:
codesign --"Developer ID Application: " foo.jnlp

The result from this operation seems to pass Gatekeeper on the local machine. However, it seems like the signature gets stored as extended HFS attributes, and as a result, it is not transmitted if a user fetches the file from a HTTP transaction.

My understanding of what Steve is saying is that the gatekeeper mechanism appears to attach a security signature to the jnlp file as an extended attribute.

man xattr

When the jnlp is uploaded/downloaded with http this associated signature meta information is lost.
I would think one possible solution would be to reset the signature on the client machine after download, either with the xattr command above or like I said I could give you java 7 nio.2 file attributes that set file extended attributes.

My apologies if I'm understanding any of this incorrectly.

Somehow, you or Safari or Java, someone, would have to reattach post-download. This is what I'm not sure would be possible. If Gatekeeper will even allow you at all to reset the signature before normal launch.

Michael Hall



AppConverter convert Apple jvm to openjdk apps http://www195.pair.com/mik3hall/index.html#appconverter





 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References: 
 >JNLP signing requirement. (From: Steve Kann <email@hidden>)
 >Re: JNLP signing requirement. (From: Steve Kann <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.