OS X 10.8 Gatekeeper 和 Java 小程序 [英] OS X 10.8 Gatekeeper and Java applets
问题描述
在新发布的 OS X 10.8 中,当您尝试启动已签名的 Java 小程序时,Gatekeeper 将弹出以下警告:
With the new release of OS X 10.8, the Gatekeeper will popup the following warning, when you try to start a signed Java applet:
小程序已使用有效的代码签名证书进行签名,并且可以在其他平台以及以前版本的 OS X 上正常工作.如果我将允许从以下位置下载的应用程序"更改为任何地方",它可以正常工作.
The applet has been signed with a valid code signing certificate and will work correctly on other platforms as well as previous versions of OS X. If I change "Allow applications downloaded from:" to "Anywhere", it works correctly.
据我所知,无法验证数字签名"实际上意味着签名不是使用 Mac 开发人员 ID 生成的".
As far as I can figure out "The digital signature could not be verified", actually means something like "the signature has not been made with a Mac Developer ID".
那么:我可以使用 Mac 开发人员 ID 签署 Java 小程序吗?我可以同时使用 Mac 开发人员 ID 和标准代码签名证书对其进行签名吗?有没有更好的方法?
So: Can I sign Java applets with a Mac Developer ID? Can I sign it with both a Mac Developer ID and a standard code signing certificate? Is there a better approach?
推荐答案
这是我从 Apple Developer Technical Support 得到的答案:
Here's the answer that I got from Apple Developer Technical Support:
感谢您在我们调查期间的耐心等待.
Thank you for your patience while we investigated this.
警报是由 Java 提供的,而不是由 Gatekeeper 提供的.然而,你更正 OS X Mountain Lion 上的验证逻辑已更改.
The alert is presented by Java, not by Gatekeeper. However, you're correct that the verification logic was changed on OS X Mountain Lion.
一段时间以来,用户会在以下情况下收到此警报运行签名小程序,因为签名小程序可以逃避 Java沙箱并对用户的系统进行意外更改.用户有选中允许所有小程序来自"框的选项,如果他们信任开发人员,因此他们不会再次看到警报除非他们从 Java 安全首选项中删除该项目.
For a while now, users have been presented with this alert when running a signed applet, because signed applets can escape the Java sandbox and make unexpected changes to the user's system. Users have the option to check the "Allow all applets from " box if they trust the developer and thus they won't see the alert again unless they remove the item from the Java Security preferences.
Mountain Lion 中的变化是现在验证警报基本上意味着小程序的签名是有效的,但小程序来自身份不明的开发者,正在尝试提升权限当 Gatekeeper 启用并且用户必须决定是否允许时
What's changed in Mountain Lion is that the verification alert now basically means that the applet's signature is valid, but the applet is from an unidentified developer and is trying to escalate privileges when Gatekeeper is enabled and the user has to decide whether to allow that.
身份不明的开发者"是指 Mac App Store 以外的来源或开发人员 ID 标识的开发人员.请注意,Java 小程序不能参与开发者 ID 计划.
"Unidentified developer" means a source other than the Mac App Store or a Developer ID-identified developer. Note that Java applets cannot participate in the Developer ID program.
如果 Gatekeeper 设置为仅信任 Mac App Store 应用程序,那么您将无法将小程序添加到受信任列表,除非您添加使用出现的表将小程序的证书添加到钥匙串单击显示详细信息"后.
If Gatekeeper is set to trust only Mac App Store apps, then you will not be able to add the applet to the trusted list unless you add the applet's certificate to the keychain using the sheet that appears after clicking Show Details.
根本不允许未签名的小程序逃逸 Java 沙箱.
Unsigned applets are not allowed to escape the Java sandbox at all.
这与 Gatekeeper 对原生 Mac 应用程序的处理是一致的;默认情况下,不允许运行身份不明的开发者的应用.
This is consistent with Gatekeeper's treatment of native Mac apps; apps from unidentified developers are not allowed to run by default.
如果您希望看到警报的措辞发生变化,请提交一份https://developer.apple.com/bugreporter 上的错误报告.
If you'd like to see the wording of the alert changed, please file a bug report at https://developer.apple.com/bugreporter.
这基本上意味着没有办法以可以避免显示此消息的方式对小程序进行签名.我向 Apple 提交了一个错误报告,说我希望更改消息的措辞,不要包含诸如 UNIDENTIFIED、UNVERIFIED、INSECURE 之类的词……因为这是签署小程序的全部意义所在,以便用户可以感受到所有温暖当他们需要允许小程序运行时,他们的内心是舒适的,以向他们保证他们将要允许的内容是好的和经过验证的,并且不会对他们的计算机造成任何伤害,我们需要将其展示在一个地方将是可见的,用它戳他们的眼睛.
This basically means that there is no way to sign the applet in such a way that you can avoid this message to be shown. I filed a bug report to Apple saying that I want the wording of the message to be changed not to contain words like UNIDENTIFIED, UNVERIFIED, INSECURE... because that's the whole point of signing the applets, so that the users can feel all warm and cosy inside when they need to allow the applet to run, to assure them that what they are about to allow is OK and verified and it won't do any harm to their computer, and we need to show it on a place where it will be visible, to poke their eyes with it.
这篇关于OS X 10.8 Gatekeeper 和 Java 小程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
