Jalview applet signed

sebastien_moretti_1 · 15 November 2013 15:01

Hi Jim

I have found that you will sign the jalviewLite applet in version 2.8.1
http://issues.jalview.org/browse/JAL-1400
When do you plan to release it?

Also I have tried to sign the jalview version we modified for MyHits (version 2.4+) by signing it with our own certificate.
No problem to sign it but when I want to run it it displays a warning message, only after clicking on the launch button, saying that I try to run a mix of signed and unsigned classes.
Do you know what could cause this?

Thanks

···

--
Sébastien Moretti
SIB Vital-IT EMBnet, Quartier Sorge - Genopode
CH-1015 Lausanne, Switzerland
Tel.: +41 (21) 692 4079/4221
http://www.vital-it.ch/ http://myhits.vital-it.ch/

jalviewcrowdadmin · 15 November 2013 15:59

'lo there Sébastien.

I have found that you will sign the jalviewLite applet in version 2.8.1
http://issues.jalview.org/browse/JAL-1400
When do you plan to release it?

I'm currently waiting on a request for a certificate from CERTUM - who provide free certificates for OSS software (I hope!). I'll then release a signed version of 2.8b1 - which will be the last in the 2.8.0 series as soon as I receive it.

The recent Java updates, and more complex Apple code signing requirements have kept me busy - Jalview now has an official Apple ID, and I'm trying to integrate the codesign step into our release process for the Jalview installer.

Also I have tried to sign the jalview version we modified for MyHits
(version 2.4+) by signing it with our own certificate.
No problem to sign it but when I want to run it it displays a warning
message, only after clicking on the launch button, saying that I try to
run a mix of signed and unsigned classes.
Do you know what could cause this?

this is due to a couple of issues -
the original jalview build script didn't create an index file - and so when the jarsigner operated on it, it didn't actually sign the index file, but created one after it was done. I've fixed the builder so JalviewLite will run without that warning. You can try it out in the 'latest build of the current release branch'.

There are a couple of other wrinkles, however:

* If you link JmolApplet with Jalview, that needs to be fully signed in the same way (with the index created before hand) (again, this is fixed in the build system now)
* If you use the 'Mayscript' attribute, in order to use the applet Javascript api, you need to set the codebase property in the applet manifest, otherwise a warning will be raised. (still working on this..)

I'll most likely post an article on the website about all this, since getting all this right is pretty tricky - particularly for someone new to Java development. I'll also be updating the source building instructions to allow for specifying deployment URLs, etc.

Jim

···

On 15/11/2013 15:01, Moretti Sébastien wrote:

amwaterhouse · 15 November 2013 16:14

Hi Jim/Sebastien,

The latest Java updates will show warnings for all applets that are self signed, therefore only jars signed with a certificate are now accepted. The user will still need to accept the new certificate, but you can click the option to always accept the certificate so you don't see the warning again.

On top of that, javascript is treated as unsafe code.

You should add the following lines to the manifest of every jar file, before signing with the certificate.

Codebase: *.my.domain.com
Caller-Allowable-Codebase: *.my.domain.com
Permissions: all-permissions

Codebase accepts wildcards, so for Jalview it might be acceptable to just have * so that anyone can serve it from any domain. The caller-allowable codebase allows javascript from pages served from that domain to call the applet.

Hope this helps,

Andrew

···

-----Original Message-----
From: jalview-discuss-bounces@jalview.org [mailto:jalview-discuss-bounces@jalview.org] On Behalf Of Jim Procter
Sent: 15 November 2013 16:59
To: jalview-discuss@jalview.org
Subject: Re: [Jalview-discuss] Jalview applet signed

'lo there Sébastien.
On 15/11/2013 15:01, Moretti Sébastien wrote:

I have found that you will sign the jalviewLite applet in version
2.8.1
http://issues.jalview.org/browse/JAL-1400
When do you plan to release it?

I'm currently waiting on a request for a certificate from CERTUM - who provide free certificates for OSS software (I hope!). I'll then release a signed version of 2.8b1 - which will be the last in the 2.8.0 series as soon as I receive it.

The recent Java updates, and more complex Apple code signing requirements have kept me busy - Jalview now has an official Apple ID, and I'm trying to integrate the codesign step into our release process for the Jalview installer.

Also I have tried to sign the jalview version we modified for MyHits
(version 2.4+) by signing it with our own certificate.
No problem to sign it but when I want to run it it displays a warning
message, only after clicking on the launch button, saying that I try
to run a mix of signed and unsigned classes.
Do you know what could cause this?

this is due to a couple of issues -
the original jalview build script didn't create an index file - and so when the jarsigner operated on it, it didn't actually sign the index file, but created one after it was done. I've fixed the builder so JalviewLite will run without that warning. You can try it out in the 'latest build of the current release branch'.

There are a couple of other wrinkles, however:

* If you link JmolApplet with Jalview, that needs to be fully signed in the same way (with the index created before hand) (again, this is fixed in the build system now)
* If you use the 'Mayscript' attribute, in order to use the applet Javascript api, you need to set the codebase property in the applet manifest, otherwise a warning will be raised. (still working on this..)

I'll most likely post an article on the website about all this, since getting all this right is pretty tricky - particularly for someone new to Java development. I'll also be updating the source building instructions to allow for specifying deployment URLs, etc.

Jim

_______________________________________________
Jalview-discuss mailing list
Jalview-discuss@jalview.org
http://www.compbio.dundee.ac.uk/mailman/listinfo/jalview-discuss

sebastien_moretti_1 · 15 November 2013 16:26

Hi Jim/Sebastien,

The latest Java updates will show warnings for all applets that are self signed, therefore only jars signed with a certificate are now accepted. The user will still need to accept the new certificate, but you can click the option to always accept the certificate so you don't see the warning again.

On top of that, javascript is treated as unsafe code.

Could the signed/unsigned warning come from non-class files in our jar?
.build_properties
images/idwidth.gif
images/link.gif

You should add the following lines to the manifest of every jar file, before signing with the certificate.

Codebase: *.my.domain.com
Caller-Allowable-Codebase: *.my.domain.com
Permissions: all-permissions

Will try to follow that.

Codebase accepts wildcards, so for Jalview it might be acceptable to just have * so that anyone can serve it from any domain. The caller-allowable codebase allows javascript from pages served from that domain to call the applet.

Hope this helps,

Andrew

Will wait for the certificate.
Thanks Jim & Andrew

···

-----Original Message-----
From: jalview-discuss-bounces@jalview.org [mailto:jalview-discuss-bounces@jalview.org] On Behalf Of Jim Procter
Sent: 15 November 2013 16:59
To: jalview-discuss@jalview.org
Subject: Re: [Jalview-discuss] Jalview applet signed

'lo there Sébastien.
On 15/11/2013 15:01, Moretti Sébastien wrote:

I have found that you will sign the jalviewLite applet in version
2.8.1
http://issues.jalview.org/browse/JAL-1400
When do you plan to release it?

I'm currently waiting on a request for a certificate from CERTUM - who provide free certificates for OSS software (I hope!). I'll then release a signed version of 2.8b1 - which will be the last in the 2.8.0 series as soon as I receive it.

The recent Java updates, and more complex Apple code signing requirements have kept me busy - Jalview now has an official Apple ID, and I'm trying to integrate the codesign step into our release process for the Jalview installer.

Also I have tried to sign the jalview version we modified for MyHits
(version 2.4+) by signing it with our own certificate.
No problem to sign it but when I want to run it it displays a warning
message, only after clicking on the launch button, saying that I try
to run a mix of signed and unsigned classes.
Do you know what could cause this?

this is due to a couple of issues -
the original jalview build script didn't create an index file - and so when the jarsigner operated on it, it didn't actually sign the index file, but created one after it was done. I've fixed the builder so JalviewLite will run without that warning. You can try it out in the 'latest build of the current release branch'.

There are a couple of other wrinkles, however:

* If you link JmolApplet with Jalview, that needs to be fully signed in the same way (with the index created before hand) (again, this is fixed in the build system now)
* If you use the 'Mayscript' attribute, in order to use the applet Javascript api, you need to set the codebase property in the applet manifest, otherwise a warning will be raised. (still working on this..)

I'll most likely post an article on the website about all this, since getting all this right is pretty tricky - particularly for someone new to Java development. I'll also be updating the source building instructions to allow for specifying deployment URLs, etc.

Jim

--
Sébastien Moretti
SIB Vital-IT EMBnet, Quartier Sorge - Genopode
CH-1015 Lausanne, Switzerland
Tel.: +41 (21) 692 4079/4221
http://www.vital-it.ch/ http://myhits.vital-it.ch/

jalviewbugreporter · 15 November 2013 17:19

Hi Sebastien..

Could the signed/unsigned warning come from non-class files in our jar? .build_properties images/idwidth.gif images/link.gif

you can check whether all content is signed using the
jarsigner -verbose -verify <jar>

You should add the following lines to the manifest of every jar file, before signing with the certificate.

Codebase: *.my.domain.com
Caller-Allowable-Codebase: *.my.domain.com
Permissions: all-permissions

Will try to follow that.

I think Andrew will be guest author on the blog - he's gone through this particular pain before, and that was with far less crazy java restrictions

Please let us know how you get on - I've been experimenting with the above fields and have found that things were not behaving as I expected on all systems!
Jim.

···

On 15/11/2013 16:26, Moretti Sébastien wrote:

sebastien_moretti_1 · 18 November 2013 13:40

Hi Sebastien..

Hi

Could the signed/unsigned warning come from non-class files in our
jar? .build_properties images/idwidth.gif images/link.gif

you can check whether all content is signed using the
jarsigner -verbose -verify <jar>

I tried that command but it says everything is fine.
So I think jalview applet (our custom version is 2.4m based) tries to load/run an external jar that is not signed the same way. Or to run a web service that is not secure enough for java.

···

You should add the following lines to the manifest of every jar file, before signing with the certificate.

Codebase: *.my.domain.com
Caller-Allowable-Codebase: *.my.domain.com
Permissions: all-permissions

Will try to follow that.

I think Andrew will be guest author on the blog - he's gone through this
particular pain before, and that was with far less crazy java
restrictions

Please let us know how you get on - I've been experimenting with the
above fields and have found that things were not behaving as I expected
on all systems!
Jim.

--
Sébastien Moretti
Department of Ecology and Evolution,
Biophore, University of Lausanne,
CH-1015 Lausanne, Switzerland
Tel.: +41 (21) 692 4221/4079
http://selectome.unil.ch/ http://bgee.unil.ch/

sebastien_moretti_1 · 20 November 2013 13:38

Hi

next Oracle java update will block all unsigned and self-signed jar/jnlp.
https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias

···

Hi Sebastien..

Hi

Could the signed/unsigned warning come from non-class files in our
jar? .build_properties images/idwidth.gif images/link.gif

you can check whether all content is signed using the
jarsigner -verbose -verify <jar>

I tried that command but it says everything is fine.
So I think jalview applet (our custom version is 2.4m based) tries to
load/run an external jar that is not signed the same way. Or to run a
web service that is not secure enough for java.

You should add the following lines to the manifest of every jar
file, before signing with the certificate.

Codebase: *.my.domain.com
Caller-Allowable-Codebase: *.my.domain.com
Permissions: all-permissions

Will try to follow that.

I think Andrew will be guest author on the blog - he's gone through this
particular pain before, and that was with far less crazy java
restrictions

Please let us know how you get on - I've been experimenting with the
above fields and have found that things were not behaving as I expected
on all systems!
Jim.

--
Sébastien Moretti
Department of Ecology and Evolution,
Biophore, University of Lausanne,
CH-1015 Lausanne, Switzerland
Tel.: +41 (21) 692 4221/4079
http://selectome.unil.ch/ http://bgee.unil.ch/

amwaterhouse · 21 November 2013 09:19

Thanks Sebastien,

This is the big one, this will kill a lot of applets on the web and unfortunately make it more difficult for beginners to start making their own applets.

As from my previous email, it is the Permissions property which is most important for the manifest file. The codebase is optional, but the caller-allowable-codebase is proabably more important to allow interaction with javascript on the page.

Andrew

···

-----Original Message-----
From: jalview-discuss-bounces@jalview.org [mailto:jalview-discuss-bounces@jalview.org] On Behalf Of Sébastien Moretti
Sent: 20 November 2013 14:38
To: jalview-discuss@jalview.org
Subject: Re: [Jalview-discuss] Jalview applet signed

Hi

next Oracle java update will block all unsigned and self-signed jar/jnlp.
https://blogs.oracle.com/java-platform-group/entry/new_security_requirements_for_rias

Hi Sebastien..

Hi

Could the signed/unsigned warning come from non-class files in our
jar? .build_properties images/idwidth.gif images/link.gif

you can check whether all content is signed using the jarsigner
-verbose -verify <jar>

I tried that command but it says everything is fine.
So I think jalview applet (our custom version is 2.4m based) tries to
load/run an external jar that is not signed the same way. Or to run a
web service that is not secure enough for java.

You should add the following lines to the manifest of every jar
file, before signing with the certificate.

Codebase: *.my.domain.com
Caller-Allowable-Codebase: *.my.domain.com
Permissions: all-permissions

Will try to follow that.

I think Andrew will be guest author on the blog - he's gone through
this particular pain before, and that was with far less crazy java
restrictions

Please let us know how you get on - I've been experimenting with the
above fields and have found that things were not behaving as I
expected on all systems!
Jim.

--
Sébastien Moretti
Department of Ecology and Evolution,
Biophore, University of Lausanne,
CH-1015 Lausanne, Switzerland
Tel.: +41 (21) 692 4221/4079
http://selectome.unil.ch/ http://bgee.unil.ch/ _______________________________________________
Jalview-discuss mailing list
Jalview-discuss@jalview.org
http://www.compbio.dundee.ac.uk/mailman/listinfo/jalview-discuss