Java 7 Manifest Security Changes

4
votes

With recent changes to Java 7s security checks, I'm updating our webstart application to allow it to run without warnings.

Our webstart application consists of a number of jar files, only a few of which are developed by us, we use a number of 3rd party jar files (log4j, swingx, ...)

Our previous setup used a self signed certificate, with which we signed all jar files. We have now purchased a signing certificate from a proper CA.

The steps I've taken so far are:

  • Unpack the jar files
  • Strip out old certificates (remove *.DSA *.SF *.RSA and hashes from the manifest) from all jar files
  • Re-package jar files
  • Add Permission, Codebase, Application-Name attributes to the jar file which contains our main class.
  • Sign jar files with the new key

Running this in webstart on a machine with Java 7 u45 gives no warning dialog, which is great.

However, looking in the java console, I see that it is warning about missing Permission, Codebase, Application-Name attributes for all jar of the other jar files. Should I also be adding these attributes to every jar file?

I'm already uneasy with repackaging 3rd party jar files, but now having to add manifest attributes too makes me feel I've missed something.

So, change manifests, or something else? Thanks, and Merry Christmas

Edit: Thanks for the useful responses, I just wanted to update this with some details of the solution I have implemented.

I take the following steps to repackage each jar file required by the application. - Unpack the jar file to a temporary directory
- Remove *.DSA *.RSA *.SF from META-INF
- Remove lines from META-INF/MANIFEST.MF which start with
- SHA-256-Digest
- SHA1-Digest
- Permissions
- Codebase
- Application-Name
- Insert lines into META-INF/MANIFEST.MF
- Permissions: all-permissions
- Codebase: *
- Application-Name: MY APP NAME
- Ensure all line endings in MANIFEST.MF are appropriate for my system (dos2unix)
- Recreate the jar file with the new manifest specified
- Sign the jar file with the current code signing certificate

Hope that helps

1
javajarjava-web-start
"I'm already uneasy with repackaging 3rd party jar files, but now having to add manifest attributes too makes me feel I've missed something." An update to the API? - Andrew Thompson
Andrew, Are you saying this is the way it is now, and repackaging jar files is the way it should now be done? Thanks. - jasg
"this is the way it is now, and repackaging jar files is the way it should now be done" Yes. - Andrew Thompson

1 Answers

1
votes

Yes, you need to add the Permission, Codebase, and Application-Name manifest attributes to every .jar used by your app. This is the main app .jar plus all the 3rd party library .jars as well.

See this answer https://stackoverflow.com/a/19659135/963076 to another SO question.

It is good that you feel uneasy. As I understand it, adding things to the manifests of 3rd party libraries is a violation of the GNU license agreements attached to almost all libraries. I have been scratching my head as Oracle has been releasing these updates as to what they were thinking. Why should a 3rd party library need to designate a JNLP Codebase? Do they know they're forcing us to violate the license agreements of these 3rd party libraries?

But, alas, if you want those warnings to go away and, even more, want your app to work in future Java updates, you must. The truth is, if you use an IDE like Netbeans then it is already repackaging and resigning your 3rd party library .jars anyways. So you won't be breaking any rules your IDE isn't breaking already.