I'm using Maven for a project that creates a JAR that's embedded in my web application to sign PDF documents using a smartcard.
In my pom.xml I use the maven-jarsigner-plugin as follows:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jarsigner-plugin</artifactId>
<version>1.4</version>
<executions>
<execution>
<id>sign</id>
<goals>
<goal>sign</goal>
</goals>
</execution>
<execution>
<id>verify</id>
<goals>
<goal>verify</goal>
</goals>
</execution>
</executions>
<configuration>
<keystore>/path/to/my/keystore.jks</keystore>
<alias>my-key-alias</alias>
<storepass>********</storepass>
<keypass>********</keypass>
<verbose>true</verbose>
<certs>true</certs>
<arguments>
<argument>-tsa</argument>
<argument>https://timestamp.geotrust.com/tsa</argument>
</arguments>
</configuration>
</plugin>
The project builds fine, without any errors. For 99% they are just [INFO] messages, except some [WARNING] messages from the Maven Shade plugin:
[WARNING] maven-shade-plugin has detected that some .class files
[WARNING] are present in two or more JARs. When this happens, only
[WARNING] one single version of the class is copied in the uberjar.
[WARNING] Usually this is not harmful and you can skeep these
[WARNING] warnings, otherwise try to manually exclude artifacts
[WARNING] based on mvn dependency:tree -Ddetail=true and the above
[WARNING] output
When I manually check the resulting jar using the CLI jarsigner it is fine:
Niels-MBP:target niels$ jarsigner -verify my-applet.jar
jar verified.
The jar also verifies without problems on other computers. However, when I include the jar in my web application, users get the message: "security warning: Do you want to run this application? Un unsigned application from the location above is requesting permission to run."
UPDATE: When I run the jarsigner with the -verbose option, all .class files are marked as sm (signature verified, entry is listed in manifest) and are missing the k option (at least one certificate was found in keystore). This may be the cause of the error. END UPDATE
The page is served over HTTPS. The jar is on the same domain (even the same folder) as the HTML page and included like this:
<script src="https://www.java.com/js/deployJava.js"></script>
<script>
var attributes = {
id: 'myApplet',
code: 'nl.company.project.applet.MyAppletApplet',
archive: 'my-applet.jar',
width: 200,
height: 200
};
deployJava.runApplet(attributes, '1.7');
<script>
Any help with this would be appreciated!
Niels
The company where I purchased the code signing certificate - Xolphin - tracked down the problem for me. It had something to do with an incorrect added certificate/alias in the keystore. I recreated the keystore and the problem is gone.
For others facing the same warning: make sure that you uncheck 'Keep temporary files on my computer' in your Java settings (System Preferences -> Java -> Temporary Internet Files -> Settings). It caused me to search further after the problem was fixed, even though I used different filenames for different versions of my JAR file.