Signing a jnlp in order to get rid of the Security Warning

Question

I am developing at a company where a jnlp file is used to start a swing web based java application. It has plenty of jars that are downloaded to the client's jvm cache. When I updated my jvm to its currently latest version (build 1.7.0_45-b18) I started seeing the security warning below when I try to run the jnlp file:

Unknown publisher error

After I saw this error and read this article about signing jnlp files from oracle site( Signing JNLP files) then I added three things to the project:

A JNLP-INF folder including an APPLICATION.JNLP file into all my jars except third party ones.
Signing all those jars with the digital certificate+keystore bundle of my own company
Importing the digital certificate into my trusted Ca certificates of jvm via java control panel.

After I did the changes above and tried to run the jnlp file after deployment of new jars I got the following Security warning message from jvm:

known publisher but still jnlp not signed error

As you can see the Security Warning's severity level is changed to a more welcoming level and now the publisher's name is not unknown.It is the name from the certificate. Even if the warning's level is decreased it is still a warning and I dont want my end users to see this everytime. How can I solve this problem?

Should I try to sign all third part jars as well? If so how can I do it with an Ant command? How can I extract a third party jar and add the JNLP-INF folder in it and then repack it as a jar by using Ant?
Should I also sign the final myapplication.ear file with a JNLP-INF subfolder in it.This ear file is deployed to jboss server?
Should I add some extra lines to my META-INF/MANIFEST files in jars?
Should I be expecting oracle to block my application to run on jvm with this level of warning?

My JNLP file is this text:

<?xml version="1.0" encoding="utf-8"?>
    <jnlp spec="1.0+" codebase="http://10.100.10.9/ikarusdelhitest/" href="ikarus.jnlp">
<information>
    <title>Ikarus</title>
    <vendor>My Company name</vendor>
    <homepage href="http://www.mycompanyname.com" />
    <description>My jnlp triggered web based enterprise software</description>
    <icon href="ikarus.ico" />
    <offline-allowed />
</information>
<security>
    <all-permissions />
</security>
<resources>
    <j2se version="1.6+" href="http://java.sun.com/products/autodl/j2se"
        java-vm-args="-Xnoclassgc -Xincgc -client -XX:DefaultMaxRAM=208M -Xms64M -Xmx256M -XX:PermSize=32M -XX:MaxPermSize=128M -XX:MinHeapFreeRatio=15 -XX:MaxHeapFreeRatio=50" />
    <jar href="jars/ikarus/ikarusClient.jar" />
    <jar href="jars/ikarus/ikarusDelegators.jar" />
    <jar href="jars/ikarus/clientRules.jar" />
    <jar href="jars/ikarus/ruleImps.jar" />
    <jar href="jars/ikarus/ikarusUtil.jar" />
    <jar href="jars/ikarus/ikarusResources.jar" />
    <jar href="jars/ikarus/domain.jar" />
    <jar href="jars/ikarus/domain_repository.jar" />
    <jar href="jars/ikarus/domain_service.jar" />
    <jar href="jars/ikarus/app_repository.jar" />
    <jar href="jars/ikarus/app_service.jar" />
    <jar href="jars/ikarus/infrastructure.jar" />
    <jar href="jars/ikarus/integration_domain.jar" />
    <jar href="jars/jboss_ejb_auth/ejb3-persistence.jar" />
    <jar href="jars/jboss_ejb_auth/jboss-ejb3x.jar" />
    <jar href="jars/jboss_ejb_auth/jbossall-client.jar" />
    <jar href="jars/jasper/commons-beanutils-1.8.0.jar" />
    <jar href="jars/jasper/commons-collections-3.2.1.jar" />
    <jar href="jars/jasper/commons-digester-1.7.jar" />
    <jar href="jars/jasper/commons-logging-1.1.jar" />
    <jar href="jars/jasper/iText-2.1.0.jar" />
    <jar href="jars/jasper/jasperreports-3.6.0.jar" />
    <jar href="jars/jasper/poi-3.2-FINAL-20081019.jar" />
    <property name="jnlp.localization" value="Delhi"/>
</resources>
<application-desc main-class="com.celebi.ikarus.main.Ikarus" />

Thanks for any help/comment/brain storming.

So to just check. All Jars, including the 3rd part Jars, are digitally signed with your company's certificate? If not, it would explain the "Part of the application is missing a digital signature" message. — Andrew Thompson
yes all the jars listed inside jnlp are signed. But only the non-thirdparty ones have JNLP-INF/APPLICATION.JNLP subfolder inside. Would this cause the problem? — ali kerim erkan
AFAIU only the main Jar requires a signed JNLP. BTW - Be sure to check the JNLP using JaNeLA. By the way. This JNLP seems to need signing because of java-vm-args but realize that most of the memory related options can be specified in a way so that the JNLP does not need to be signed. You might experiment with those instead, to see if it works for your app. — Andrew Thompson
I dont have a main jar file that wraps the others. I am signing JNLP file as described here:link - Is there any other way I can try to sign my jar? — ali kerim erkan
What you have struck now is a different type of error. SO works best if we deal with one problem and the solution per question. That way people searching later can more easily find answers. I have put my suggestion re. the java-vm-args as an answer. Please accept the answer & start a new question with the run-time error. Don't be discouraged, we have made progress, and I think you are very close to getting a working app. :) — Andrew Thompson

Andrew Thompson Andrew Thompson · Accepted Answer · 2014-01-07T08:21:09

This JNLP seems to need signing because of java-vm-args but realize that most of the memory related options can be specified in a way so that the JNLP does not need to be signed. I recommend you try that way instead.

Edit

JNLP was part of the Java Plug-In which was removed from browsers and deprecated by Oracle around Java 9. Use other methods to launch apps.

Signing a jnlp in order to get rid of the Security Warning

2 Answers