JARSigningException in webstart when i merge any jme.jar files into my project

oh masters of the monkey code,



i am kinda stuck at the beginning. i am getting started with jME on top of lwjgl, i use xCode in Mac OSX 10.5.2 with java version "1.5.0_13"

Java™ 2 Runtime Environment, Standard Edition (build 1.5.0_13-b05-237). i have a little barebones, silly webstart app that runs fine. i then add any of the jme jars to the project, i don't call anything in it, i don't even think about jme - but the app fails to run with the following security issue



com.sun.deploy.net.JARSigningException: Could not verify signing in resource: http://localhost/~huber/jME_signed.jar

at com.sun.deploy.cache.CacheEntry.writeManifest(CacheEntry.java:1119)

at com.sun.deploy.cache.CacheEntry.writeFileToDisk(CacheEntry.java:797)

at com.sun.deploy.cache.Cache.downloadResourceToCache(Cache.java:524)

at com.sun.deploy.net.DownloadEngine.actionDownload(DownloadEngine.java:947)

at com.sun.deploy.net.DownloadEngine.getCacheEntry(DownloadEngine.java:1059)

at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(DownloadEngine.java:1134)

at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(DownloadEngine.java:1068)

at com.sun.deploy.net.DownloadEngine.getResource(DownloadEngine.java:142)

at com.sun.javaws.LaunchDownload.downloadJarFiles(LaunchDownload.java:826)

at com.sun.javaws.LaunchDownload.downloadEagerorAll(LaunchDownload.java:742)

at com.sun.javaws.Launcher.downloadResources(Launcher.java:1165)

at com.sun.javaws.Launcher.prepareLaunchFile(Launcher.java:540)

at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:157)

at com.sun.javaws.Launcher.launch(Launcher.java:95)

at com.sun.javaws.Main.launchApp(Main.java:302)

at com.sun.javaws.Main.continueInSecureThread(Main.java:212)

at com.sun.javaws.Main$1.run(Main.java:107)

at java.lang.Thread.run(Thread.java:637)



my webstart app runs fine before i add the jme jar. to do this my build.xml first compiles and builds the jar.



    <target name="compile" depends="init" description="Compile code">

        <javac srcdir="${src}" destdir="${bin}"

            source="1.5" target="1.5"

            includeAntRuntime="no"

            classpathref="lib.path"

            debug="${compile.debug}">

        </javac>

    </target>



    <target name="build-jar" depends="compile" description="Build jar">

        <jar jarfile="${jarfile}"

            basedir="${bin}"

            manifest="${resources}/Manifest">

            <!-- Merge library jars into final jar file -->

            <zipgroupfileset refid="lib.jars"/>

        </jar>

    </target>



i then check for a private key



<!-- See if we already have a private key for this user in ~/.keystore.  -->

        <!-- Note: This tests for an output string of "does not exist", this

            assumes the locale is set to English and will not work for Spanish

            or other languages. -->

<target name="checkforkey" depends="build-jar" description="Generate private key">

<exec executable="/usr/bin/keytool" resultproperty="keytool.result" failonerror="false">

<redirector outputproperty="keytool.output" logError="false"/>

<arg value="-list"/>

<arg value="-alias"/>

<arg value="${user.name}"/>

<arg value="-storepass"/>

<arg value="changeit"/>

</exec>

<!-- Set the property createPrivateKey, used in genkey below, if there is no key -->

<condition property="createPrivateKey">

<not>

<equals arg1="${keytool.result}" arg2="0"/>

</not>

</condition>

</target>





i then generate a key if there isn't one already



<!-- If createPrivateKey is set we need to call genkey.  -->

<target name="genkey" depends="checkforkey" if="createPrivateKey">

<echo message="Creating a new key because keytool returned: ${keytool.output}"/>

<genkey alias="${user.name}" storepass="changeit" >

<dname>

<param name="CN" value="${user.name}"/>

<param name="OU" value="Kids Fun Zone"/>

<param name="O"  value="SugarRidgePrairie"/>

<param name="C"  value="US"/>

  </dname>

</genkey>

</target>



i then sign the .jar file with



<!-- Sign the JAR with the key generated above. -->

    <target name="sign-jar" depends="genkey" description="Sign JAR file">

        <!-- Note that the storepass is cleartext, and the keystore is assumed to be

          ~/.keystore. You may wish to just use .SF or .DSA files directly  -->

        <signjar jar="${jarfile}"

            alias="${user.name}"

            storepass="changeit"

keystore="${user.home}/.keystore"

            signedjar="${signed.jarfile}"/>

</target>



i then put the package together and run



  <target name="package" depends="sign-jar" description="Put all the pieces together in the dist directory">

<mkdir dir="${dist}"/>

<!-- Copy jar -->

<copy toDir="${dist}">

<fileset dir="${jars}">

<include name="*_signed.jar"/>

</fileset>

</copy>

        <!-- Copy the JNLP -->

        <copy file="${jnlp.file}" todir="${dist}"/>

        <!-- Copy the HTML -->

        <copy file="${html.file}" todir="${dist}"/>

    </target>



<!-- Install onto your local machine for testing: You will need to turn on Web Sharing in System Preferences. -->

    <target name="install" depends="package" description="Put all the pieces together in the dist directory">

<!-- Copy to your home directory's Sites folder -->

<copy todir="${user.home}/Sites">

<fileset refid="installed.files"/>

</copy>

    </target>



so, this works until i add any of the jme.jar files to the project which invariably gets me the security exception. is it possible that the jme jars come signed with a key already and that i am not allow to assign a key to the merged package once it is merged in?



your insight is greatly appreciated …


You’ll have to either sign all jars linked in your jnlp file with the same key, or link the externally signed jars as an <extension> instead of <jar> in the jnlp.

For more info on the “sign all jars the same” way see the wiki.

howdy,



thanks for the input. i got to try a bunch of things, albeit, none resulted in a solution



attempt 1: i first try to sign the jme jars according to instructions at "Deploying jME Applications with Webstart" wiki. in my terminal i type



keytool -genkey -alias key_name





and it promptly asks me



Enter keystore password:





i have no clue where i get that password, it is not the normal admin pass. is there a trick to this? i had to abandon this approach for now



attempt 2: then i try to sign the jar files within build.xml. i have the jme.jar in my lib folder. i want to sign it, name it jme-signed.jar, and save the signed jar to the jar folder where it will be merged with the rest of the jars. so i first set the file as a property



  <property name="jme.jarfile" location="${libs}/$jme.jar"/>

  <property name="signed.jme.jarfile" location="${jars}/$jme_signed.jar"/>





i then go to the section that already signs the current application jar and i just add <signjar … >for the jme.jar as follows



<!-- Sign the JAR with the key generated above. -->

    <target name="sign-jar" depends="genkey" description="Sign JAR file">

        <!-- Note that the storepass is cleartext, and the keystore is assumed to be

          ~/.keystore. You may wish to just use .SF or .DSA files directly  -->

        <signjar jar="${jarfile}"

            alias="${user.name}"

            storepass="changeit"

keystore="${user.home}/.keystore"

            signedjar="${signed.jarfile}"/>

        <signjar jar="${jme.jarfile}"

            alias="${user.name}"

            storepass="changeit"

keystore="${user.home}/.keystore"

            signedjar="${signed.jme.jarfile}"/>

</target>





during compile i get the error "jarsigner returned: 1" and i am really flying in the dark on this. so i had to abandon this approach as well.



attempt 3: put it together into the jnlp as an <extension> instead of as a <jar>. in the jnlp file i add the jme.jar to the list of resources



  <resources>

    <j2se version="1.4+"/>

    <jar href="jMEApp_signed.jar"/>

    <extension name="jme" href="jme.jar"/>

  </resources>



i then copy it to my home directory apache sites folder along with the *.html and the *.jnlp. When i start the jnlp the webstart app starts to download then reports that it is unable to launch. it then hangs up when i try to get more detail on why it was unable to launch. strike three …



the presence of a lot of will and determination has for now been unable to overcome an even greater shortage of competence.



help on any of the above approaches, pointers to useful pages/instructions, or just plain handholding would be greatly appreciated …

lobsterman said:

attempt 1: i first try to sign the jme jars according to instructions at "Deploying jME Applications with Webstart" wiki. in my terminal i type

keytool -genkey -alias key_name


and it promptly asks me

Enter keystore password:


i have no clue where i get that password, it is not the normal admin pass. is there a trick to this? i had to abandon this approach for now


you have to define what the password is :)

the sun website has some good tutorials for all kind of things
http://java.sun.com/docs/books/tutorial/security/toolsign/step3.html

Also, yes, the jme jars may already be signed. Go into each jar ( easiest way is to rename it *.zip ). Look in the META_INF directory and delete all files in there. You could probably script this, but have a look anyway.

yo, thanks, i am finally starting to get somewhere. the build.xml had the -storepass right there in broad daylight and i can recover my privatekey with



  keytool -list -alias key_name -storepass changeit



i then go to the folder with the jme*.jars and sign it



  jarsigner jme.jar key_name

  Enter Passphrase for keystore: changeit



  Warning: The signer certificate will expire within six months.



so, i think that worked. and i get cocky



  Biology-HuberMacBook:Downloads huber$ jarsigner *.jar key_name

  Enter Passphrase for keystore: changeit

  jarsigner: Certificate chain not found for: jme-awt.jar.  jme-awt.jar must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.



so i go back and sign each one by itself …



now i will try to merge that into the jar next, report to follow …



i tried to get to the META_INF directory but changing to .zip .txt or just forcing it to open as ascii shows goodies embedded in gobbledigook in my mac, e.g. for jme.jar …



PK