The packager generates a jnlp file with:
in this case, the certificate is pre-verified (while the jars are downloaded) using a CodeSource that has this certificate but a location based on the jnlp file.
The code in TrustDecider.checkMainJarManifest() assumes the CodeSource refers to a jar, and tries to open that jar to see if it has the main class, and if so if it has a permission manifest attribute.
When the exception is caught from :
new JarFile(ResourceProvider.get().getCachedResourceFilePath(cs.getLocation(), ver), false);
a SecurityException is thrown, and the app is blocked for not having a permissions attribute.
We need to recognize this situation and not block