Why isn't JMonkeySDK code signed?

@Pixelapp said: But Jogamp.org is doing what I'm explaining and everything works fine for them. Why wouldn't we do it? What would be the problem?

As I said, I’ll end up buying a java certificate from godaddy.com I just don’t want to waste all that money. Also, I wanted JMonkey to have a certificate.

As I said, we would devalue the cert completely if we let anyone use it, if we buy a license we certainly won’t let people sign their apps with it. Also you got information on how to obtain a free license. Read gouessej’s answer to your issue above, gouessej here is a vital part of jogamp btw. so you should probably consider what he says before using them as an example.

@normen Ok, I’m guessing this is a Yes. Let me know if you want me to buy the certificate or who else is going to buy the certificate. I’ll be waiting here.

@Pixelapp said: @normen Ok, I'm guessing this is a Yes. Let me know if you want me to buy the certificate or who else is going to buy the certificate. I'll be waiting here. :)

I don’t know how you read a “yes” into this but we won’t buy a certificate soon and we will definitely not sign your application with it when we do. You can get a free cert from cacert.org as gouessej indicated. Again, read his reply about your problem with using that cert.

Ok. I’m buying my own then. :\

@Pixelapp said: Ok. I'm buying my own then. :\

@normen It’s not recognized by java or any operating system unless the root file is installed on the end user’s computer. It’s just the same as not having any certificate at all. Just go here for example https://www.cacert.org/index.php?id=1 and you’ll see what kind of things I’m talking about.

@Pixelapp said: @normen It's not recognized by java or any operating system unless the root file is installed on the end user's computer. It's just the same as not having any certificate at all. Just go here for example https://www.cacert.org/index.php?id=1 and you'll see what kind of things I'm talking about.

As I said multiple times, gouessej has given you the solution for this problem.

@gouessej said: Secondly, you have forgotten one step (look at ImportRootCert in the FAQ of CACert).

As I said. You need to use command line in order set this thing up. I don’t think my customers would know how to run command lines on their computers.

@Pixelapp said: As I said. You need to use command line in order set this thing up. I don't think my customers would know how to run command lines on their computers.

So make the installer do that. You don’t seem to be about the actual use of a certificate anyway, I guess you just don’t like some warning screen. Theres probably multiple ways to get around that.

Is not that I don’t like screen warning. I just don’t want my code to be injected with a malicious software which certificates are able to prevent.

Also, I don’t think there is a way to avoid warning by getting around them, java or windows makes sure the user sees a warning always, trust me I’ve tried.

@Pixelapp said: Is not that I don't like screen warning. I just don't want my code to be injected with a malicious software which certificates are able to prevent.

Also, I don’t think there is a way to avoid warning by getting around them, java or windows makes sure the user sees a warning always, trust me I’ve tried.

If an intuder can modfy your game binaries/jars you are lost anyway.

Doesn’t a certificate prevent that??

@Pixelapp said: Doesn't a certificate prevent that??

Only if the private half stays private. This is what we’re saying. When anyone can re-sign your stuff then it’s no protection at all. Might as well just use a self-signed cert.

@pspeed Like I said before, nothing of mine needs to be signed, it will run in a sandbox.

@Pixelapp said: @pspeed Like I said before, nothing of mine needs to be signed, it will run in a sandbox.

Then what’s the issue?

@pspeed when I download Jinput it is not signed. I know it not Jmonkey’s fault but since Jmonkey uses JInput I wanted JInput to be signed.

tldr; version:
Average users do not understand cerificates at all, deal with it

So i dont get it really.

You always get a warnign due to the way the stuff works.
You can show a valid vertificate in the warnign at elast, correct.
I can if I have acces to your jar just rip the certificate out, sign with a selfsigned that looks similar.
If you dont have a very special type of customers but average users, they will never even see what i did, if i let my selfsigned one seem similar to yours.

Basically if i can get your jar, you are screwed anyway, the only thing you can do is increase the necessary work for me. And while i agree that a certificate is doing this at least to a limited extend, its not the best and only option here.

Also i could even aot compile your stuff into an exe, and let the bat the average windows user gets point to that instead.

Always keep in mind when designing something like your security concept, that the average users will install almost any *.exe or whatever if you make them belive that they want it. And any binary has way more platform acess than java normally and runs not in a jvm.

@Pixelapp said: @pspeed Like I said before, nothing of mine needs to be signed, it will run in a sandbox.

@Pixelapp said: @pspeed when I download Jinput it is not signed. I know it not Jmonkey's fault but since Jmonkey uses JInput I wanted JInput to be signed.

You really make no sense at all. Are you making fun of us?

@normen Making fun of what?

@EmpirePhoenix You have given me the response that makes sense. I’ve kind of decided to use .exe instead of webstart because the warning is kind of absent really. So .exe is my front-runner in choice now.