[SOLVED] [Java6 Update 19] Browser shows warning when running signed applets


Java6 Update 19 was released one week ago.

This release of Java shows a warning in the browser window

if you mix signed code (e.g. jme.jar) and unsigned code (e.g.

your images in resource.jar) in your applet.

As you can see, this looks everything but inviting. You have to click

‘No’(!) to go on, unlike every other application, where you always click ‘yes’

to advance.

Sun has a tutorial how to avoid this warning:


In short, this tutorial says:

Take all your unsigned jar-files (jmonkey.jar, myApplet.jar), look for the manifest-file

META-INF/manifest.mf and change

Manifest-Version: 1.0
Created-By: 1.6.0-internal (Sun Microsystems Inc.)


Manifest-Version: 1.0
Trusted-Library: true
Created-By: 1.6.0-internal (Sun Microsystems Inc.)

then sign your applet with jarsigner.

Sun says, this should suffice to avoid this warning.

Ok, said and done. All applets are signed with my certificate
and equipped with the new manifest-file.

But, in my case, my applet doesn't work any more.
My applet consists of these files:

<applet name="draw" code="test.MainApplet" archive="main_signed.jar,resource.jar, jme.jar, lwjgl.jar, windows_natives.jar">

- main_signed.jar: The main program, with certificate
- windows_natives.jar: Native files (.dll) for LWJGL, with certificate
- jmonkey_signed.jar: Well, er, this is the JMonkey engine, with certificate
- lwjgl_signed.jar: LWJGL-Engine, signed

I get an exception:
java.security.PrivilegedActionException: java.lang.Exception: Unable to open /windows_natives.jar, which was expected to be on the classpath
at java.security.AccessController.doPrivileged(Native Method)
at org.lwjgl.util.applet.LWJGLInstaller.tempInstall(LWJGLInstaller.java:103)
at com.jme.system.lwjgl.LWJGLSystemProvider.installLibs(Unknown Source)

Obviously the java security manager tells me, it can't install the DLL-Files
because of security concerns. But why?
All files are signed with the same valid certificate. Actually this isn't even mixed code,
because there are no unsigned files. It worked before without any problems.

Any ideas how to solve this?


PS: Unfortunately this is JME1.0. Right now I can't update to a current version of JME.

I guess all jar files in the classpath must be signed. You can probably mix jars signed with different certificates, but not mix signed and unsigned jars.

Momoko_Fan said:

I guess all jar files in the classpath must be signed. You can probably mix jars signed with different certificates, but not mix signed and unsigned jars.

Thanks. The problem lies in the LWJGL jars, have a look here:
If you have Java 6 Update 19 installed, the warning appears.

The author of LWJGL has told me that he has "fixed" that issue
in his nightly build (LWJGL 2.4) by adding "TrustedLibrary: true"
into his manifest-file META-INF/manifest.mf. But, alas, it doesn't
help me here, because I use LWJGL 1.0 (!).

It's possible LWJGL 1.0 is going to be released with this fix, since it doesn't require changes to the code.