Java Webstart代码签名要求概述 [英] java webstart code signing requirements overview
问题描述
我有一个在办公室使用的小型javafx2应用程序.有些人从Firefox运行它,有些人将其作为桌面应用程序运行. Webstart很棒.
I have a small javafx2 application that is used in the office. Some guys run it from Firefox, some run it as a desktop app. Webstart is great.
当前的方法是将其添加到jnlp文件中:
The current approach is that I have added this to the jnlp file:
<security>
<all-permissions/>
</security>
然后使用keytool在密钥库中创建密钥:
Then created a key in a keystore using the keytool:
keytool -genkey -keystore yourKeystore -alias keyname
然后我使用jarsigner对将要在用户PC上存储的所有jar文件进行签名:
And I sign all jar files that are to be on the user's PC using jarsigner:
jarsigner -keystore ./myapp.keystore -storepass xxx -keypass yyy <path to jar file> keyname
因此,用户要么使用桌面上的快捷方式文件(jnlp文件)启动应用程序,要么在Firefox中浏览到该应用程序.这很有效,除了如今我们得到的对话框是:
So the user either starts the app using the shortcut file (the jnlp file) on their desktop, or they browse to the app in Firefox. This works great, except nowadays we get this dialog that says:
UNKNOWN发布者正在运行的应用程序将来会被阻止 释放
Running applications by UNKNOWN publishers will be blocked in a future release
,我担心将来的发行版发布后会发生什么.
and I am worried about what will happen when that future release is out.
我对所有这些代码签名都没有深刻的了解.我知道它可以通过将一些二进制数据嵌入文件中来工作,这些文件用于证明应用程序的发布者是证书颁发机构认可的公司/个人(这是jarsigner进行AFAIK的工作).证书可以由Windows和Linux等操作系统识别,也可以由Firefox和Safari等网络浏览器识别,而Java也可以识别用户和系统这两个级别的证书.在Windows和Linux之类的操作系统中,默认情况下会认可公认的证书颁发机构(如Verisign).我知道网络浏览器也可以识别某些证书颁发机构,但是我认为他们识别的列表可能与操作系统识别的列表不同.我猜Java也可以识别一些,但我不知道是什么.我也知道,可以通过在〜/.java/deployment/deployment.properties,deployment.system.security.trusted.certs中指定密钥库来在Java中配置系统级别的密钥库.如果我不想为证书付费,则可以创建自己的证书(这就是我正在做的事情),因此我的证书来自未知的发行者.我期望的是,如果我通过Deployment.system.security.trusted.certs指定我的密钥库,那么它将为办公室解决此问题,但显然并不能解决,这是我不理解的,因为在这种情况下,系统管理员说他认可此证书.因此,现在我正在考虑在Windows中使用makecert制作证书,然后可以通过GPO将其下推到客户端PC.我的理解是,这将创建操作系统可以识别的证书,但是我不知道是否将makecert制作的证书与例如在Windows,Firefox和Java中都可以使用verisign证书.而且我不知道UNKNOWN是指Java中的列表,还是指操作系统无法识别证书颁发机构的事实.
I do not have a deep understanding about all this code signing thing. I know that it works by embedding some binary data into files that is used to prove that the releaser of the app is a company/individual that is recognized by the Certificate Authority (and this is what jarsigner does AFAIK). Certificates are recognized by OSes like Windows and Linux, by webbrowsers like Firefox and Safari and Java also recognizes certificates at 2 levels, user and system. There are widely accepted Certificate Authorities (like Verisign) that are recognized by default in OSes like Windows and Linux. I know that webbrowsers also recognize some Certificate Authorities, but I think the list they recognize can be different from the list the OS recognizes. I guess Java also recognizes some but I do not know what. I also know that I can have system level configured keystores in Java by specifying the keystore in ~/.java/deployment/deployment.properties, deployment.system.security.trusted.certs. If I do not want to pay for a certificate, I can create my own (this is what I was doing) so my certificate is from an UNKNOWN publisher. What I was hoping for that if I specify my keystore via deployment.system.security.trusted.certs then it will solve this problem for the office but apparently it does not, which I do not understand because in this case the system administrator says that he recognizes this certificate. So now I am thinking about making a certificate using makecert in windows which can then be pushed down to client PCs via GPO. My understanding is that this will create certificates that are recognized by the OS, but I do not know if makecert made certificates would be treated the same way as e.g. verisign certificates in Windows, in Firefox and also in Java. And I do not know if UNKNOWN refers to a list within java or it refers to the fact that the Certificate Authority is not recognized by the OS.
我的问题:
- 如果有人可以解决我在上面的描述中犯的错误,我将不胜感激.我相信我误会了一些东西,但是我不知道是什么.
- 我简直不敢相信,除非我们为证书付费,否则Webstart无法正常工作.我想我们需要的是系统管理员可以说他希望办公室PC识别给定证书的机制.有谁知道将来如何做?
- 如果我们必须购买证书,请让我知道要注意什么或总体上该如何工作?我可以以相同的方式使用jarsigner吗?
- 如果我们必须购买证书,那里是否有可供选择的证书颁发机构列表?显然,我想以最便宜的价格去买,因为这是管理上的开销.
谢谢您的帮助.
推荐答案
适用于JRE7u40和JRE8的设置是这样的:
My setup that works with JRE7u40 and JRE8 is this:
我有一个用于证书颁发机构(CA)的自签名证书.该证书必须是系统信任的证书(例如,将其添加到Java控制面板/安全性/证书/签名者CA,但是可能有其他方法可以使您的CA信任).
I have a self-signed cert for my certificate authority (CA). This cert must be trusted by the system (e.g. add it to Java Control Panel / Security / Certificates / Signer CA, but there may be other ways to make your CA trusted).
然后我有一个由我的CA签名的代码发布者证书.我使用此证书对我的所有代码(罐子)进行签名.
Then I have a code publisher certificate, signed by my CA. I use this cert to sign all my code (jars).
此外,如果要获得代码的所有权限,建议将这些MANIFEST.MF属性作为QDH的最小值(我记得自JRE7u40起):
Furthermore, if you want all permissions for your code, I suggest these MANIFEST.MF attributes as QDH minimum (since JRE7u40, if I remember):
Permissions: all-permissions
Codebase: *
Trusted-Library: true
Trusted-Only: true
第一次运行此类应用程序时,您仍然会看到安全警告,因为运行时无法确保其CA未撤销代码签名者证书.
First time you run such application, you will still see the security warning because runtime is unable to ensure that code signer certificate was not revoked by its CA.
但是,现在您可以选择永久接受此发布者(代码签名者证书),并且如果这样做,代码签名者证书将被添加到受信任的发布者(Java控制面板/安全性/证书/受信任的证书),并且您不会再看到这样的警告.
However, now you have the option to permanently accept this publisher (code signer certificate), and if you do, the code signer certificate will be added to trusted publishers (Java Control Panel / Security / Certificates / Trusted Certificates) and you won't see such warning again.
如果要避免此步骤,我想您必须正确设置CA基础结构以支持证书吊销验证.我认为这包括您的CA证书中的一些额外属性以及特殊证书吊销服务的可用性.对于Intranet部署,您可以跳过.
If you want to avoid this step, I guess you have to setup your CA infrastructure properly to support certificate revocation verification. I assume that includes some extra attributes in your CA certificate and availability of special certificate revocation service. For intranet deployment, you may skip that.
这篇关于Java Webstart代码签名要求概述的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
