Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: JNLP signing requirement.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: JNLP signing requirement.



Michael Hall wrote:

> On Jun 10, 2013, at 8:20 AM, Steve Kann wrote:
>
>> We've been able to determine that you can sign a jnlp file with codesign, using the "Developer ID Application" Certificate, like this:
>> codesign -f -s "Developer ID Application: " foo.jnlp
>
> I might of been confusing the use of extended attributes in this process in my previous post.
> It is apparently the quarantine attributes in download files that sets this attribute.
> As near as I can tell checking now extended attributes are not used for the codesign signature.
> I saw this…
>
> Signed code contains several digital signatures:
>
>       • If the code is universal, the object code for each slice (architecture) is signed separately. This signature is stored within the binary file itself.
>       • Various components of the application bundle (such as the Info.plist file, if there is one) are also signed. These signatures are stored in a file called _CodeSignature/CodeResources within the bundle.
>
> Here…
> https://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html#//apple_ref/doc/uid/TP40005929-CH3-SW3
>
> Neither of which appear to apply for a jnlp file.
> Curious, when you say this worked on the local machine where did the signature go?
>
> I was thinking one possibility for this would be to keep the jnlp signature in a file separate on the server. For <MyApp>.jnlp have the associated signature as <MyApp>.sig or something.
> Java Web Start when it starts running could parse the server URL out of the jnlp download and attach the signature. Again thinking extended attributes was the mechanism this might not  of been all that tough. But what is the mechanism? Where did your signature go?
>
> This probably wouldn't do anything for you on dynamic jnlp either. Since a change in the jnlp should mean generating a new signature.

There is a command line tool name "xip" that is used to create a secure, signed archive (similar to gzip, jar or tar archives). Apparently, if you use it on your JNLP file, deploying such an archive in place of the JNLP file is expected to work, at least when downloading to a 10.8.4 Mac (xip is present on my 10.7.5 Mac, so it might work for 10.7 users as well). I'm not sure what the MIME type the web server should provide for the archive is, but it is probably not "application/x-java-jnlp-file". I couldn't find any documentation on the net about the xip file format, or if the tool is available on platforms other than OS X (there are multiple formats with the ".xip" suffix, including X-box config and HP "execute-in-place" files that are clearly different). Even if it is available for Linux, signing dynamically generated JNLPs on the fly as they go out on the wire from the web server is problematic for performance, scalability and security reasons.


This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error.

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden




Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.