Hi Jim/Sebastien,
The latest Java updates will show warnings for all applets that are self signed, therefore only jars signed with a certificate are now accepted. The user will still need to accept the new certificate, but you can click the option to always accept the certificate so you don't see the warning again.
On top of that, javascript is treated as unsafe code.
You should add the following lines to the manifest of every jar file, before signing with the certificate.
Codebase: *.my.domain.com
Caller-Allowable-Codebase: *.my.domain.com
Permissions: all-permissions
Codebase accepts wildcards, so for Jalview it might be acceptable to just have * so that anyone can serve it from any domain. The caller-allowable codebase allows javascript from pages served from that domain to call the applet.
Hope this helps,
Andrew
···
-----Original Message-----
From: jalview-discuss-bounces@jalview.org [mailto:jalview-discuss-bounces@jalview.org] On Behalf Of Jim Procter
Sent: 15 November 2013 16:59
To: jalview-discuss@jalview.org
Subject: Re: [Jalview-discuss] Jalview applet signed
'lo there Sébastien.
On 15/11/2013 15:01, Moretti Sébastien wrote:
I have found that you will sign the jalviewLite applet in version
2.8.1
http://issues.jalview.org/browse/JAL-1400
When do you plan to release it?
I'm currently waiting on a request for a certificate from CERTUM - who provide free certificates for OSS software (I hope!). I'll then release a signed version of 2.8b1 - which will be the last in the 2.8.0 series as soon as I receive it.
The recent Java updates, and more complex Apple code signing requirements have kept me busy - Jalview now has an official Apple ID, and I'm trying to integrate the codesign step into our release process for the Jalview installer.
Also I have tried to sign the jalview version we modified for MyHits
(version 2.4+) by signing it with our own certificate.
No problem to sign it but when I want to run it it displays a warning
message, only after clicking on the launch button, saying that I try
to run a mix of signed and unsigned classes.
Do you know what could cause this?
this is due to a couple of issues -
the original jalview build script didn't create an index file - and so when the jarsigner operated on it, it didn't actually sign the index file, but created one after it was done. I've fixed the builder so JalviewLite will run without that warning. You can try it out in the 'latest build of the current release branch'.
There are a couple of other wrinkles, however:
* If you link JmolApplet with Jalview, that needs to be fully signed in the same way (with the index created before hand) (again, this is fixed in the build system now)
* If you use the 'Mayscript' attribute, in order to use the applet Javascript api, you need to set the codebase property in the applet manifest, otherwise a warning will be raised. (still working on this..)
I'll most likely post an article on the website about all this, since getting all this right is pretty tricky - particularly for someone new to Java development. I'll also be updating the source building instructions to allow for specifying deployment URLs, etc.
Jim
_______________________________________________
Jalview-discuss mailing list
Jalview-discuss@jalview.org
http://www.compbio.dundee.ac.uk/mailman/listinfo/jalview-discuss