JDK-8016771 : 7u25: warning dialogue still show up even all jar files are signed
  • Type: Bug
  • Component: deploy
  • Sub-Component: plugin
  • Affected Version: 7u25
  • Priority: P2
  • Status: Closed
  • Resolution: Not an Issue
  • OS: windows_7
  • CPU: x86
  • Submitted: 2013-06-17
  • Updated: 2013-06-18
  • Resolved: 2013-06-18
Description
Since 7u25, we are seeing a dialog that indicates that we are trying to load an unsigned application. This is confusing because all the applet jars are signed properly and have been for years. 

The dialog does not indicate what exactly it is complaining about, and so have no idea what the problem is. The Applet is signed, all the jars within the applet are signed, and yet the dialog says something is not signed. Clicking ���More information��� does not help, there is just some text about unsigned applications, but unable to determine what component is being referenced here.
 
Warning:
This jar contains unsigned entries which have not been integrity-checked.


This jar with unsigned entries is getting loaded fine with 7u21 (which is incorrect and is a bug in 7u21) but with 7u25-b15 due to recent security fixes , we have following behavior

1) blocked at default high level
basic: exception: Your security settings have blocked a local application from running.
com.sun.deploy.security.BlockedException: Your security settings have blocked a local application from running

2) When slider is set to MEDIUM, then we allow to load it but we are showing extra unsigned warning dialog (ideally in this case also we should have blocked it)

Same applet fails to load when try to run as JNLP applet (same behavior with medium/high settings)
    at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
    at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
    at sun.plugin2.applet.JNLP2Manager.prepareLaunchFile(Unknown Source)
    at sun.plugin2.applet.JNLP2Manager.loadJarFiles(Unknown Source)
    at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
basic: exception: JAR resources in JNLP file are not signed by same certificate. 


Comments
Solution: index.list must be signed With 7u21 signed jars were allowed to be loaded without any unsigned warning if they contain unsigned index.list entry but this is not true anymore with 7u25. With 7u25 an extra unsigned warning message is shown if the jars are signing the jars first and then try to add index entries inside it. This issue can be resolved if changing the build routine: 1) Create all index entries first; index.list 2) Then try to sign all the jars
18-06-2013