如何使用NetBeans自签名Applet？

Question

In the previous months I developed a sandbox applet for an academic project. Due to the Java 1.7.51 security restrictions to applets, I have been trying to self-sign my applet with the hope that it can comply or overcome JRE's requisites for applets.

I'm using NetBeans and I have taken as a point of departure some links that show how to self-sign a jar file. Unfortunately, I haven't been able to get it working.

I have tried to add the following instructions on the build.xml file:

<target name="-post-jar" depends="signing_procedure">
</target>

<target name="signing_procedure" depends="">
    <echo message="Signing ${dist.dir}/MyFile.jar"/>
    <exec dir="C:/Program Files/Java/jdk1.7.0_25/bin/" executable="jarsigner.exe">
        <arg value="-verbose" />
        <arg value="-keystore" />
        <arg value="C:/Program Files/Java/jdk1.7.0_25/bin/MyKeyStore.jks" />
        <arg value="-storepass" />
        <arg value="mystorepass" />
        <arg value="-keypass" />
        <arg value="mykeypass" />
        <arg value="C:/Users/Charles/Documents/ProjectsFolder/MyProject/dist/MyFile.jar" />
        <arg value="MyAlias" />
    </exec>
</target>

I receive the following error message:

Execute failed: java.io.IOException: Cannot run program "jarsigner.exe": error=2, The specified file is not found

I would deeply thank you for your help, and much more if it is adressed to NetBeans!

Answer 1

The parameter dir is not where your executable is located. It is the directory where it will be executed.

<exec executable="C:/Program Files/Java/jdk1.7.0_25/bin/jarsigner.exe">

If you want to keep the exec like it was, you'll need to set resolveexecutable parameter to true. From Ant manual :

When this attribute is true, the name of the executable is resolved firstly against the project basedir and if that does not exist, against the execution directory if specified. On Unix systems, if you only want to allow execution of commands in the user's path, set this to false. since Ant 1.6

Answer 2

I figured out how to do it. The following lines need to be added to the build.xml, under the tab Files of the corresponding project on NetBeans:

<target name="-post-jar" depends="Signing Procedure">
</target>

<target name="Signing procedure" depends="">
    <echo message="Signing ${dist.dir}/MyAppet.jar..."/>
    <exec dir="${dist.dir}" executable="C:/Program Files/Java/jdk1.7.0_25/bin/jarsigner.exe">
        <arg value="-verbose" />
        <arg value="-keystore" />
        <arg value="C:/Program Files/Java/jdk1.7.0_25/bin/MyKeyStore.jks" />
        <arg value="-storepass" />
        <arg value="mystorepassword" />
        <arg value="-keypass" />
        <arg value="mykeypassword" />
        <arg value="C:/Users/Charles/Documents/MyNetBeansProjects/MyProject/dist/MyApplet.jar" />
        <arg value="MySelfSignatureAlias" />
    </exec>
</target>

I hope this is useful to other users!

Answer 3

In Netbeans 8.0.1 (and likely others), there is a project properties setting that gives you the option to sign your project by specifying a key or using generating a key.

1. Open and select your project.
2. Select File -> Project Properties.
3. Select "Web Start"
4. If not already enabled, Check the "Enable Web Start" check box.
5. Select the Customize... button in the Signing: section of the Webstart properties tab.
6. Click the radio button for either Self-sign by generated key -or- Sign by a specified key and enter the Key information.
7. Select how to handle mixed code.

For a more detailed description of this, you can view the help in Netbeans and search for Standard Java SE Project Properties Dialog Box: Web Start . The details should be in the first result that pops up.

Also note the following warning you can expect to sign if you do not have a trusted certificate.

Warning: Unsigned and self-signed WebStart applications and Applets are deprecated from JDK7u21 onwards due to security reasons. To ensure future correct functionality please sign WebStart applications and Applets using trusted certificate.

Answer 4

My JavaFX application needed to run in the sandbox. Here is my path to success..

Development environment:

• Netbeans 8.0.2,
• jre1.8.0_45
• jdk1.8.0_25
• apache-tomcat-7.0.61-windows-x64
• Window 7 Pro
• Firefox 37.0.2

Step 1: Getting the app to run with an "Unrestricted Access" popup.

• Since all applets and JNLPs (RIAs) must be signed, create a self-signed cert outside of NetBeans.
• Add the cert to java's cacerts by using the Java Console. This will allow you to test without buying a cert. BTW, do not buy the inexpensive "Java Code Signing" Comodo cert as I did. The Comodo root certificate is not in Java's cacerts. As a result applets will not run in Firefox.
• Add your cert to IE's keystore to enable your applet to run in IE. BTW, a Comodo cert will run in IE. IE uses the Windows keystore instead of Java's. Microsoft recognizes Comodo as a root CA while Oracle does not.
• Go to Project->Properties->Build->Deployment.
• Check "Request unrestricted access (enable signing)." This will cause the main and dependent jars to be signed.
• Click the "Edit" button and configure the self-signed certificate.
• Go to Project->Properties->Build->Packaging->Custom Manifest Properties.
• Click "Edit." Add the property "Application-Name" and give it a value.
• Go to Files->nbproject->project.properties->manifest.custom.permissions.
• Set the value to "all-permissions".
• Go to Files->nbproject->project.properties->manifest.custom.codebase.
• Set the value to "*".
• Click "Clean and Build." Note that the script signs the project jar as well as the dependent jars. It places the signed jars in dist/lib.
• Click "Run." Note that Netbean's run script deletes the dist/lib folder and copies the unsigned ones to dist/lib.
• The project should now run with the "Unsigned code detected error" popup.
• To save confusion you may want to sign any dependent jars outside of Netbeans since Clean and Build signs the dependent jars and then deletes them at Run time. Curiously if you just click Run instead of preceding it with a Clean and Build Netbeans copies the dependent jars and then signs them before running. Is this a feature or a bug? Inquiring minds would like to know.
• Make a nonfunctional edit. Click "Run."
• The applet and JNLP should now run with an "Unrestricted access" popup.

Step 2: Getting the app to run with a "Restricted Access" popup.

• Go to Files->nbproject->project.properties->manifest.custom.permissions.
• Set the value to "sandbox".
• Go to Files->nbproject->project.properties->javafx.deploy.permissionselevated.
• Set the value to "false."
• Start up a server, for example Tomcat. I installed it separately from Netbeans.
• Build and deploy the dist folder to Tomcat's webapps folder. them in the project.
• Go to Files->nbproject->project.properties->manifest.custom.codebase. Set the value to the server's network address, for example 192.168.1.45.
• Invoke the applet by running it from the server, for example http:192.168.1.45:8080/dist/MyApp.html.

Tested with Firefox and IE. Does not work with Chrome.