Hi,
I have absolutely no experience with java signatures.
I'm trying to self-sign Jitsi jars and run the Jitsi java web start version.
Currently I'm running:
# keytool -genkeypair -alias jitsisigner -keyalg RSA -keysize 2048 -keypass password -keystore JITSIkeystore.jks -storepass password -validity 7300
# keytool -exportcert -alias jitsisigner -file jitsisigner.cer -keystore JITSIkeystore.jks -storepass password
# keytool -importcert -trustcacerts -alias jitsisigner -file jitsisigner.cer -keystore JITSIkeystore.jks -keypass password -storepass password
WebStartBuild.properties contains:
java.jdk.dir = C:\\Program Files\\Java\\jdk1.8.0_25
keystore.alias = jitsisigner
keystore.file = C:\\Users\\vieri\\Documents\\jitsi\\java_keystore\\JITSIkeystore.jks
keystore.password = password
webstart.codebase.url = http://server.org/IT/IM/jws
Jitsi jws builds fine with
# ant -buildfile WebStartBuild.xml all-prod
but I get messages such as:
\[apply\] jar verified\.
\[apply\]
\[apply\] Warning:
\[apply\] This jar contains entries whose certificate chain is not validated\.
\[apply\] This jar contains signatures that does not include a timestamp\. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date \(2035\-02\-11\) or after any future revocation date\.
\[apply\]
\[apply\] Re\-run with the \-verbose and \-certs options for more details\.
I guess it's OK.
I then went to the Windows control panel -> Java and I imported jitsisigner.cer as "trusted certificate" type.
However, when I try to launch http://server.org/IT/IM/jws/client.jnlp, Java Web Start warns me that it can't be run because my security settings are blocking the execution of self-signed applications.
Is there really no way to trust a self-signed app in Java 8 (without having to add site exceptions)?
I then also tried to sign the certificate with a local CA signing authority. I used openssl on another server to create a custom Ca and sign jitsisigner.cer.
I ran
# ant -buildfile WebStartBuild.xml all-prod
again and put the openssl-created CA cert within Java's "trusted root certs" in Windows control panel.
However, I'm still getting the same result when launching Jitsi via JWS.
Any ideas?
Thanks,
Vieri