oh masters of the monkey code,
i am kinda stuck at the beginning. i am getting started with jME on top of lwjgl, i use xCode in Mac OSX 10.5.2 with java version "1.5.0_13"
Java™ 2 Runtime Environment, Standard Edition (build 1.5.0_13-b05-237). i have a little barebones, silly webstart app that runs fine. i then add any of the jme jars to the project, i don't call anything in it, i don't even think about jme - but the app fails to run with the following security issue
com.sun.deploy.net.JARSigningException: Could not verify signing in resource: http://localhost/~huber/jME_signed.jar
at com.sun.deploy.cache.CacheEntry.writeManifest(CacheEntry.java:1119)
at com.sun.deploy.cache.CacheEntry.writeFileToDisk(CacheEntry.java:797)
at com.sun.deploy.cache.Cache.downloadResourceToCache(Cache.java:524)
at com.sun.deploy.net.DownloadEngine.actionDownload(DownloadEngine.java:947)
at com.sun.deploy.net.DownloadEngine.getCacheEntry(DownloadEngine.java:1059)
at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(DownloadEngine.java:1134)
at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(DownloadEngine.java:1068)
at com.sun.deploy.net.DownloadEngine.getResource(DownloadEngine.java:142)
at com.sun.javaws.LaunchDownload.downloadJarFiles(LaunchDownload.java:826)
at com.sun.javaws.LaunchDownload.downloadEagerorAll(LaunchDownload.java:742)
at com.sun.javaws.Launcher.downloadResources(Launcher.java:1165)
at com.sun.javaws.Launcher.prepareLaunchFile(Launcher.java:540)
at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:157)
at com.sun.javaws.Launcher.launch(Launcher.java:95)
at com.sun.javaws.Main.launchApp(Main.java:302)
at com.sun.javaws.Main.continueInSecureThread(Main.java:212)
at com.sun.javaws.Main$1.run(Main.java:107)
at java.lang.Thread.run(Thread.java:637)
my webstart app runs fine before i add the jme jar. to do this my build.xml first compiles and builds the jar.
<target name="compile" depends="init" description="Compile code">
<javac srcdir="${src}" destdir="${bin}"
source="1.5" target="1.5"
includeAntRuntime="no"
classpathref="lib.path"
debug="${compile.debug}">
</javac>
</target>
<target name="build-jar" depends="compile" description="Build jar">
<jar jarfile="${jarfile}"
basedir="${bin}"
manifest="${resources}/Manifest">
<!-- Merge library jars into final jar file -->
<zipgroupfileset refid="lib.jars"/>
</jar>
</target>
i then check for a private key
<!-- See if we already have a private key for this user in ~/.keystore. -->
<!-- Note: This tests for an output string of "does not exist", this
assumes the locale is set to English and will not work for Spanish
or other languages. -->
<target name="checkforkey" depends="build-jar" description="Generate private key">
<exec executable="/usr/bin/keytool" resultproperty="keytool.result" failonerror="false">
<redirector outputproperty="keytool.output" logError="false"/>
<arg value="-list"/>
<arg value="-alias"/>
<arg value="${user.name}"/>
<arg value="-storepass"/>
<arg value="changeit"/>
</exec>
<!-- Set the property createPrivateKey, used in genkey below, if there is no key -->
<condition property="createPrivateKey">
<not>
<equals arg1="${keytool.result}" arg2="0"/>
</not>
</condition>
</target>
i then generate a key if there isn't one already
<!-- If createPrivateKey is set we need to call genkey. -->
<target name="genkey" depends="checkforkey" if="createPrivateKey">
<echo message="Creating a new key because keytool returned: ${keytool.output}"/>
<genkey alias="${user.name}" storepass="changeit" >
<dname>
<param name="CN" value="${user.name}"/>
<param name="OU" value="Kids Fun Zone"/>
<param name="O" value="SugarRidgePrairie"/>
<param name="C" value="US"/>
</dname>
</genkey>
</target>
i then sign the .jar file with
<!-- Sign the JAR with the key generated above. -->
<target name="sign-jar" depends="genkey" description="Sign JAR file">
<!-- Note that the storepass is cleartext, and the keystore is assumed to be
~/.keystore. You may wish to just use .SF or .DSA files directly -->
<signjar jar="${jarfile}"
alias="${user.name}"
storepass="changeit"
keystore="${user.home}/.keystore"
signedjar="${signed.jarfile}"/>
</target>
i then put the package together and run
<target name="package" depends="sign-jar" description="Put all the pieces together in the dist directory">
<mkdir dir="${dist}"/>
<!-- Copy jar -->
<copy toDir="${dist}">
<fileset dir="${jars}">
<include name="*_signed.jar"/>
</fileset>
</copy>
<!-- Copy the JNLP -->
<copy file="${jnlp.file}" todir="${dist}"/>
<!-- Copy the HTML -->
<copy file="${html.file}" todir="${dist}"/>
</target>
<!-- Install onto your local machine for testing: You will need to turn on Web Sharing in System Preferences. -->
<target name="install" depends="package" description="Put all the pieces together in the dist directory">
<!-- Copy to your home directory's Sites folder -->
<copy todir="${user.home}/Sites">
<fileset refid="installed.files"/>
</copy>
</target>
so, this works until i add any of the jme.jar files to the project which invariably gets me the security exception. is it possible that the jme jars come signed with a key already and that i am not allow to assign a key to the merged package once it is merged in?
your insight is greatly appreciated …
You’ll have to either sign all jars linked in your jnlp file with the same key, or link the externally signed jars as an <extension> instead of <jar> in the jnlp.
For more info on the “sign all jars the same” way see the wiki.
howdy,
thanks for the input. i got to try a bunch of things, albeit, none resulted in a solution
attempt 1: i first try to sign the jme jars according to instructions at "Deploying jME Applications with Webstart" wiki. in my terminal i type
keytool -genkey -alias key_name
and it promptly asks me
Enter keystore password:
i have no clue where i get that password, it is not the normal admin pass. is there a trick to this? i had to abandon this approach for now
attempt 2: then i try to sign the jar files within build.xml. i have the jme.jar in my lib folder. i want to sign it, name it jme-signed.jar, and save the signed jar to the jar folder where it will be merged with the rest of the jars. so i first set the file as a property
<property name="jme.jarfile" location="${libs}/$jme.jar"/>
<property name="signed.jme.jarfile" location="${jars}/$jme_signed.jar"/>
i then go to the section that already signs the current application jar and i just add <signjar … >for the jme.jar as follows
<!-- Sign the JAR with the key generated above. -->
<target name="sign-jar" depends="genkey" description="Sign JAR file">
<!-- Note that the storepass is cleartext, and the keystore is assumed to be
~/.keystore. You may wish to just use .SF or .DSA files directly -->
<signjar jar="${jarfile}"
alias="${user.name}"
storepass="changeit"
keystore="${user.home}/.keystore"
signedjar="${signed.jarfile}"/>
<signjar jar="${jme.jarfile}"
alias="${user.name}"
storepass="changeit"
keystore="${user.home}/.keystore"
signedjar="${signed.jme.jarfile}"/>
</target>
during compile i get the error "jarsigner returned: 1" and i am really flying in the dark on this. so i had to abandon this approach as well.
attempt 3: put it together into the jnlp as an <extension> instead of as a <jar>. in the jnlp file i add the jme.jar to the list of resources
<resources>
<j2se version="1.4+"/>
<jar href="jMEApp_signed.jar"/>
<extension name="jme" href="jme.jar"/>
</resources>
i then copy it to my home directory apache sites folder along with the *.html and the *.jnlp. When i start the jnlp the webstart app starts to download then reports that it is unable to launch. it then hangs up when i try to get more detail on why it was unable to launch. strike three …
the presence of a lot of will and determination has for now been unable to overcome an even greater shortage of competence.
help on any of the above approaches, pointers to useful pages/instructions, or just plain handholding would be greatly appreciated …
lobsterman said:
attempt 1: i first try to sign the jme jars according to instructions at "Deploying jME Applications with Webstart" wiki. in my terminal i type
keytool -genkey -alias key_name
and it promptly asks me
Enter keystore password:
i have no clue where i get that password, it is not the normal admin pass. is there a trick to this? i had to abandon this approach for now
you have to define what the password is :)
the sun website has some good tutorials for all kind of things
http://java.sun.com/docs/books/tutorial/security/toolsign/step3.html
Also, yes, the jme jars may already be signed. Go into each jar ( easiest way is to rename it *.zip ). Look in the META_INF directory and delete all files in there. You could probably script this, but have a look anyway.
yo, thanks, i am finally starting to get somewhere. the build.xml had the -storepass right there in broad daylight and i can recover my privatekey with
keytool -list -alias key_name -storepass changeit
i then go to the folder with the jme*.jars and sign it
jarsigner jme.jar key_name
Enter Passphrase for keystore: changeit
Warning: The signer certificate will expire within six months.
so, i think that worked. and i get cocky
Biology-HuberMacBook:Downloads huber$ jarsigner *.jar key_name
Enter Passphrase for keystore: changeit
jarsigner: Certificate chain not found for: jme-awt.jar. jme-awt.jar must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
so i go back and sign each one by itself …
now i will try to merge that into the jar next, report to follow …
i tried to get to the META_INF directory but changing to .zip .txt or just forcing it to open as ascii shows goodies embedded in gobbledigook in my mac, e.g. for jme.jar …
PK