java webstart 代码签名要求概述 [英] java webstart code signing requirements overview
问题描述
我有一个在办公室使用的小型 javafx2 应用程序.有些人从 Firefox 运行它,有些人将它作为桌面应用程序运行.Webstart 很棒.
I have a small javafx2 application that is used in the office. Some guys run it from Firefox, some run it as a desktop app. Webstart is great.
目前的做法是,我已将其添加到 jnlp 文件中:
The current approach is that I have added this to the jnlp file:
<security>
<all-permissions/>
</security>
然后使用 keytool 在密钥库中创建一个密钥:
Then created a key in a keystore using the keytool:
keytool -genkey -keystore yourKeystore -alias keyname
并且我使用 jarsigner 对要在用户 PC 上的所有 jar 文件进行签名:
And I sign all jar files that are to be on the user's PC using jarsigner:
jarsigner -keystore ./myapp.keystore -storepass xxx -keypass yyy <path to jar file> keyname
因此,用户要么使用桌面上的快捷方式文件(jnlp 文件)启动应用程序,要么在 Firefox 中浏览应用程序.这很好用,除了现在我们得到这个对话框:
So the user either starts the app using the shortcut file (the jnlp file) on their desktop, or they browse to the app in Firefox. This works great, except nowadays we get this dialog that says:
由未知发布者运行的应用程序将在未来被阻止发布
Running applications by UNKNOWN publishers will be blocked in a future release
而且我担心未来版本发布后会发生什么.
and I am worried about what will happen when that future release is out.
我对所有这些代码签名的事情没有深入的了解.我知道它的工作原理是将一些二进制数据嵌入到文件中,用于证明应用程序的发布者是证书颁发机构认可的公司/个人(这就是 jarsigner 所做的 AFAIK).证书被 Windows 和 Linux 等操作系统识别,Firefox 和 Safari 等网络浏览器识别,Java 还识别用户和系统两个级别的证书.有广泛接受的证书颁发机构(如 Verisign),它们在 Windows 和 Linux 等操作系统中被默认识别.我知道网络浏览器也识别一些证书颁发机构,但我认为他们识别的列表可能与操作系统识别的列表不同.我猜 Java 也能识别一些,但我不知道是什么.我也知道我可以通过在 ~/.java/deployment/deployment.properties、deployment.system.security.trusted.certs 中指定密钥库来在 Java 中配置系统级密钥库.如果我不想为证书付费,我可以创建自己的(这就是我正在做的),所以我的证书来自未知的出版商.我希望的是,如果我通过 deployment.system.security.trusted.certs 指定我的密钥库,那么它将为办公室解决这个问题,但显然它没有,我不明白,因为在这种情况下系统管理员说他承认这个证书.所以现在我正在考虑在 Windows 中使用 makecert 制作一个证书,然后可以通过 GPO 将其推送到客户端 PC.我的理解是,这将创建操作系统认可的证书,但我不知道 makecert 制作的证书是否会像例如Windows、Firefox 和 Java 中的 verisign 证书.而且我不知道 UNKNOWN 是指 java 中的列表还是指证书颁发机构不被操作系统识别的事实.
I do not have a deep understanding about all this code signing thing. I know that it works by embedding some binary data into files that is used to prove that the releaser of the app is a company/individual that is recognized by the Certificate Authority (and this is what jarsigner does AFAIK). Certificates are recognized by OSes like Windows and Linux, by webbrowsers like Firefox and Safari and Java also recognizes certificates at 2 levels, user and system. There are widely accepted Certificate Authorities (like Verisign) that are recognized by default in OSes like Windows and Linux. I know that webbrowsers also recognize some Certificate Authorities, but I think the list they recognize can be different from the list the OS recognizes. I guess Java also recognizes some but I do not know what. I also know that I can have system level configured keystores in Java by specifying the keystore in ~/.java/deployment/deployment.properties, deployment.system.security.trusted.certs. If I do not want to pay for a certificate, I can create my own (this is what I was doing) so my certificate is from an UNKNOWN publisher. What I was hoping for that if I specify my keystore via deployment.system.security.trusted.certs then it will solve this problem for the office but apparently it does not, which I do not understand because in this case the system administrator says that he recognizes this certificate. So now I am thinking about making a certificate using makecert in windows which can then be pushed down to client PCs via GPO. My understanding is that this will create certificates that are recognized by the OS, but I do not know if makecert made certificates would be treated the same way as e.g. verisign certificates in Windows, in Firefox and also in Java. And I do not know if UNKNOWN refers to a list within java or it refers to the fact that the Certificate Authority is not recognized by the OS.
我的问题:
- 如果有人能纠正我在上述描述中犯的错误,我将不胜感激.我相信我误解了一些东西,但我不知道是什么.
- 我简直不敢相信除非我们支付证书费用,否则 Webstart 将无法运行.我想我们需要的是一种机制,系统管理员可以说他希望办公室 PC 识别给定的证书.有没有人知道将来如何做到这一点?
- 如果我们必须购买证书,有人可以告诉我需要注意什么或一般情况下如何操作吗?我可以以同样的方式使用 jarsigner 吗?
- 如果我们必须购买证书,是否有可供我们选择的证书颁发机构列表?显然,我想选择最便宜的,因为我认为这是管理费用.
感谢您的帮助.
推荐答案
我使用 JRE7u40 和 JRE8 的设置是这样的:
My setup that works with JRE7u40 and JRE8 is this:
我有我的证书颁发机构 (CA) 的自签名证书.该证书必须受系统信任(例如,将其添加到 Java 控制面板/安全/证书/签名者 CA,但可能还有其他方式使您的 CA 受信任).
I have a self-signed cert for my certificate authority (CA). This cert must be trusted by the system (e.g. add it to Java Control Panel / Security / Certificates / Signer CA, but there may be other ways to make your CA trusted).
然后我有一个代码发布者证书,由我的 CA 签名.我使用这个证书来签署我所有的代码(罐子).
Then I have a code publisher certificate, signed by my CA. I use this cert to sign all my code (jars).
此外,如果您想要代码的所有权限,我建议将这些 MANIFEST.MF 属性设为 QDH 最小值(如果我记得的话,从 JRE7u40 开始):
Furthermore, if you want all permissions for your code, I suggest these MANIFEST.MF attributes as QDH minimum (since JRE7u40, if I remember):
Permissions: all-permissions
Codebase: *
Trusted-Library: true
Trusted-Only: true
第一次运行此类应用程序时,您仍会看到安全警告,因为运行时无法确保代码签名者证书未被其 CA 吊销.
First time you run such application, you will still see the security warning because runtime is unable to ensure that code signer certificate was not revoked by its CA.
但是,现在您可以选择永久接受此发布者(代码签名者证书),如果您这样做,代码签名者证书将添加到受信任的发布者(Java 控制面板/安全性/证书/受信任的证书),并且您不会再看到这样的警告.
However, now you have the option to permanently accept this publisher (code signer certificate), and if you do, the code signer certificate will be added to trusted publishers (Java Control Panel / Security / Certificates / Trusted Certificates) and you won't see such warning again.
如果你想避免这一步,我猜你必须正确设置你的 CA 基础设施以支持证书吊销验证.我假设在您的 CA 证书中包含一些额外的属性以及特殊证书吊销服务的可用性.对于内网部署,您可以跳过.
If you want to avoid this step, I guess you have to setup your CA infrastructure properly to support certificate revocation verification. I assume that includes some extra attributes in your CA certificate and availability of special certificate revocation service. For intranet deployment, you may skip that.
这篇关于java webstart 代码签名要求概述的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
