On Mac OS X 10.9 signed Java Web Start applications are blocked by default with the message:
"application.jnlp" can't be opened because it is from an unidentified developer.
I know it's possible to weaken the security checks to allow any application to run, but that requires a manual intervention of the end user.
Is it possible to "sign" a Java Web Start application such that it is recognized as originating from an identified developer?
Thank you
Apple does appear to support signing of webstart -- but not directly. You have to bundle it in an archive. See the note at the bottom of this page:
You can use the codesign utility to sign the JNLP file, which will attach the code signature to the JNLP file as extended attributes. To preserve these attributes, package the JNLP file in a ZIP, XIP, or DMG file. Be careful using the ZIP format, as some third-party tools might not capture the required extended attributes correctly.
Also note that XIP isn't supported for non-Apple developers anymore:
Important: Starting with macOS Sierra, only XIP archives signed by Apple will be expanded. Developers who have been using XIP archives will need to move to using signed installer packages or disk images.
In the latest OSX releases, Apple has changed it's security model to only support applications from the Mac App Store and identified developers. In most cases, this prohibits jnlp/java-web-start applications from launching.
If this is a trusted application, you may override these settings by updating your system settings as follows:
System Preferences -> Security & Privacy -> (Unlock Window) -> Allow apps downloaded from: (Select Anywhere)
In some cases you may need to update your Java Security preferences too
System Preferences -> Java -> Security -> (Select Medium)
Be careful when adjusting these. These settings will open you up to popular attack vectors where an attacker can exploit vulnerabilities within the java runtime (Java 0 days).
Here is a related post. It doesn't appear to be possible to bypass the security, Allow All, workaround.
OS X 10.8 Gatekeeper and Java applets
From Apple Tech Support in the post above.
Unidentified developer" means a source other than the Mac App Store or a Developer ID-identified developer. Note that Java applets cannot participate in the Developer ID program.
I am considering building a native app and use a custom web protocol instead similar to skype where you see skype:// in the URI. It doesn't seem like Apple will change their stance on java applets in the near future. It will most likely become more restricted and eventually just disabled like flash on iOS.
Apple does appear to support signing of webstart -- but not directly. You have to bundle it in an archive. See the note at the bottom of this page:
You can use the codesign utility to sign the JNLP file, which will attach the code signature to the JNLP file as extended attributes. To preserve these attributes, package the JNLP file in a ZIP, XIP, or DMG file. Be careful using the ZIP format, as some third-party tools might not capture the required extended attributes correctly.
Also note that XIP isn't supported for non-Apple developers anymore:
Important: Starting with macOS Sierra, only XIP archives signed by Apple will be expanded. Developers who have been using XIP archives will need to move to using signed installer packages or disk images.
javaws https://example.com/application.jnlp. If the jnlp file can no longer be executed automatically upon download there is no point keeping it, even if it's zipped with its code signing attributes. An app bundle has some benefits over the zipped jnlp: 1. it's more familiar to Mac users, 2. it displays the application icon, and 3. there is no need to re-sign it when the jnlp file evolves. –
Maxim The answers to How to sign (dynamic) JNLP files for OSX and Gatekeeper address this question, just ignore the 'dynamic' aspect.
You can codesign -f -s "Developer ID Application: " application.jnlp but the HFS resource won't transfer with the file over the web.
Until Oracle works out a solution, if they ever do, addressing JNLP/Web Start it looks like we have to figure out a work-around that starts us down the path to creating a Mac app bundle.
This seems to have changed in OS X 10.10. Now after going to System Preferences -> Security & Privacy -> (Unlock Window) -> Allow apps downloaded from: (Select Anywhere) (after trying to run the .jnlp file) you'll see an option to "Run anyway".
Sadly Apple has removed the Anywhere option under System Preferences -> Security & Privacy in macOS Big Sur versions.
Below is a very simple way on How to override MacOS security settings for unsigned jnlp files when you get the following message:
"file-name.jnlp" cannot be opened because it is from an unidentified developer. macOS cannot verify that this app is free from malware.
Follow the steps below to override the system security settings:
Control + click and then OpenAlso you may need to download OpenWebStart for macOS
© 2022 - 2024 — McMap. All rights reserved.
javaws https://example.com/application.jnlp. If the jnlp file can no longer be executed automatically upon download there is no point keeping it, even if it's zipped with its code signing attributes. An app bundle has some benefits over the zipped jnlp: 1. it's more familiar to Mac users, 2. it displays the application icon, and 3. there is no need to re-sign it when the jnlp file evolves. – Maxim