Why isn't JMonkeySDK code signed?

Why isn’t JMonkeySDK signed signed with a certificate? I noticed that none of the code from JMonkey is signed. A code certificate only costs 200/yr on godaddy.com. I’ve tried it my self and is good.

That 200 needs to come from somewhere… just until recently there was no official way to donate money to this project, but now there is. If enough people chip in and think it is important with code signing I guess there is no reason not to do it.

I’ll pay for the $200 as long as the donation method gets set up. I think money is not a problem here.

Also, I think having all the libraries JMonkey has to offer signed and ready to use is a nice thing to have. :slight_smile:

If the nice people from Jogamp.org have their certificates why shouldn’t we? :wink:

du u take bitcoins? :smiley:

We should use google donations or paypal. I can set them up with a few clicks. Any other suggestions would be appreciated. :slight_smile:

Lower right of the “Contact” page has the donate link:
http://hub.jmonkeyengine.org/contact/

<cite>@Pixelapp said:</cite> Why isn't JMonkeySDK signed signed with a certificate? I noticed that none of the code from JMonkey is signed. A code certificate only costs 200/yr on godaddy.com. I've tried it my self and is good.

A code signing certificate only costs … nothing on CACert :slight_smile:

1 Like

We’ve discussed code signing internally a few times. What it really comes down to though is that people will need to sign their own jar’s for distribution anyway if code signing is an issue - so there is no gain by us signing it as well.

As soon as you have a code signing cert you also get into very serious security issues as if that cert was ever stolen and used for bad things that reflects directly on jme.

I’m just a regular community member so I have no authority in this matter. Please let the core team say something before donating money earmarked for this.

@Pixelapp I agree with zarch, you can sign JMonkeyEngine 3 with your own certificate. I have signed all my dependencies including JOGL since 2006. Moreover, I don’t see the interest of advising godaddy whereas CACert is free of charge. Finally, I remind you that the support of OCSP is still semi-broken in Java 1.7, look at my bug report and the release notes of Java 1.7 update 25, Oracle is going to provide an alternative to OCSP, it would be better to wait a bit before investing any money in a code signing certificate. I don’t really see the interest of providing signed builds of JMonkeyEngine, I mainly see the drawbacks.

I dont see an gain from this, as i have to resign anything i use anyway. (at most it would save me to iterate over a few jme jars)

@gouessej are you sure that works? Have you used it recently? When I go to the site it tells my browser that their ssl certificate is invalid. Why don’t you think their java signing certificate will do the same?

Ok, us minions are going to go to Cacert.org and use their certificate to sign our personal java applications. Everything should work as intended. If the CaCert certificate doesn’t work as intended then we should reopen this thread. Yeah, that’s what I’m going to do.

As we are more heavil starting to rely on native libraries that might be a reason to get a cert some time (e.g. Applets etc.). Generally its like zarch said, you’d sign with your own cert anyway and in store systems theres mostly other kinds of certificates.

Ok. I researched Cacert.org and no it doesn’t work as intended. It is not recognized by java or all operating systems.

I’ll have to buy my own certificate :(. And I’ll be wasting tons on money because I know I could easily share it with you guys/gals :(.

@normen we don’t need to sign our own certificates individually. I used to make video-games with Jogamp.org libraries and I never had to buy a certificate. I hope we could do the same here.

I suggest we buy a java code signing certificate from godaddy.com to sign everything related to jmonkey.

Using some certificate that can be used by anybody is the same as having none at all.

1 Like
<cite>@Pixelapp said:</cite> Ok. I researched Cacert.org and no it doesn't work as intended. It is not recognized by java or all operating systems.

I’ll have to buy my own certificate :(. And I’ll be wasting tons on money because I know I could easily share it with you guys/gals :(.

@normen we don’t need to sign our own certificates individually. I used to make video-games with Jogamp.org libraries and I never had to buy a certificate. I hope we could do the same here.


At first, I already told you that the JogAmp Foundation would probably not sign JInput. Secondly, you have forgotten one step (look at ImportRootCert in the FAQ of CACert). Personally I will never let Oracle to force me to pay a code signing certificate to use Java Web Start. If Oracle causes too much troubles, some organizations will have to provide fully functional builds (with some support of Java Web Start) of OpenJDK for Windows and Mac.

@normen The anti-spam system prevented me from posting a link to the FAQ despite my different attempts of pleasing it. I’m really fed up, it is too much, it has become extremely annoying.

@gouessej said: @normen The anti-spam system prevented me from posting a link to the FAQ despite my different attempts of pleasing it. I'm really fed up, it is too much, it has become extremely annoying.
Yeah, the forum sucks.
<cite>@normen said:</cite> Using some certificate that can be used by anybody is the same as having none at all.

But Jogamp.org is doing what I’m explaining and everything works fine for them. Why wouldn’t we do it? What would be the problem?

As I said, I’ll end up buying a java certificate from godaddy.com I just don’t want to waste all that money. Also, I wanted JMonkey to have a certificate.