Login/Register
jar resources in jnlp are not signed by the same certificate
Asked Answered
Solved javarcpjava-web-startjnlp
C

7

17

I've been working with web start for a couple years now and have experience with signing the jars and what not. I am taking my first attempt at deploying a RCP app with web start and though I have in fact signed all of the jars with the same certificate I keep getting this error: 'jar resources in jnlp are not signed by the same certificate'

Has anyone else came across this? If so, any ideas on how to fix?

Chimpanzee answered 10/1, 2009 at 8:43 Comment(0)
M
13

When I had similar problems after checking the jars it turned out that some 3rd party jar was signed by someone else.

You should create a separate jnlp file for the jars signed by the other certificate and read this jnlp from your jnlp file:

<resources>
  ...
  <extension name="other" href="other.jnlp"/>
</resources>

Here or here you can find an example.

Manion answered 10/1, 2009 at 8:53 Comment(4)
I came across this same problem. Rather than using extensions, I wrote a small script to strip the signature files (e.g. META-INF/*.RSA, *.DSA, and *.SF) from the 3rd party jars before signing them myself.Coursing
That's ok if you don't need the original signature. But sometimes you need that.Manion
kiril's link should be this: weblogs.java.net/blog/kirillcool/archive/2005/05/…Yuyuan
This is not working as it gives error jar resources are not signed by same certificate and this is obious as third party jar would be signed by respective peopleBalkanize
W
4

The following script lists serial number of the RSA certificate in each jar in /some/lib directory and helps to find jars that are signed by the wrong certificate:

for f in $( find /some/lib -type f -name '*.jar' )
do 
   serial=$( unzip -p $f 'META-INF/*.RSA' | 
             openssl pkcs7 -inform der -print -noout |
             grep --max-count=1 serialNumber | cut -d: -f2- | tr -d ' ' )
   printf "%40s: %s\n" "$serial" "$f"
done
Walford answered 7/6, 2019 at 23:9 Comment(1)
Great Script. Helped me find which JAR had a different signature.Firn
H
3

This may be a stale manifest entry from an already signed jar that you use as a library. I encountered this problem with jogl via webstart. Try this:

Unzip all jars, purge all META-INF directories, jar and sign them again.

Hamnet answered 10/1, 2009 at 14:25 Comment(0)
N
3

I've found that JNLP/Webstart does not like multiple signatures/signing via jarsigner.exe for a given JAR. If a JAR such as BouncyCastle (which comes presigned) is signed again with your Company's certificate, visual inspection leads me to believe that the new Certificate and Signatures are performed properly in the JAR. but that JNLP may be reading only the first (Alphabetical?) signature in the META-INF, and thereby complaining it doesn't match your other JARs (which have only one, Corporate, signature on each JAR).

Nide answered 7/2, 2009 at 18:26 Comment(1)
I can confirm this. Same here: existing signature for a JAR provided by Eclipse (starting with E) and added signature that starts with V. The signature is OK for my own certificate, but JNLP seems to check with the eclipse cert.Thurman
T
2

See the explanation for one of the FAQ: How do I use multiple JAR files signed by different certificates?

Right solution.

Technic answered 9/11, 2010 at 18:17 Comment(0)
T
2

I had the exact same experience as described by Matthew with the presigned BouncyCastle JARs. However, I found that JRE version 1.6.0_14 and later will gladly accept JARs with multiple signatures (as I would expect). Hence, I did not need to use the JNLP 'component extension mechanism' described above.

PS Did not find any obvious references to this fix in the 1.6.0_14 release notes. However, I have verified that multiple signed JARs works in all later versions (at least 14 - 17 + 24).

Thor answered 8/6, 2011 at 8:30 Comment(0)
R
0

In my project, what happened is that there are couple of instances in the load balancer pool, there are some instances with old version of code and some with new version. Thus there are certificates not signed by same certificate...

Rutile answered 25/3, 2013 at 19:25 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.