[
http://jira.codehaus.org/browse/MWEBSTART-1?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_123303
]
Chad Lyon commented on MWEBSTART-1:
-----------------------------------
I hope it is not too late to chime in with this but the best way to deal with
already signed jars is with the extension element in JNLP. For example, I do
this in my app that includes javahelp:
<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.0+" codebase="http://localhost:8080/test-app/";
href="testapp.jnlp">
<information>
<title>Test App</title>
<vendor>Test Apps, Inc.</vendor>
<offline-allowed />
</information>
<security>
<all-permissions />
</security>
<resources>
<j2se version="1.4+" max-heap-size="256m" />
<jar href="test-app-1.0-SNAPSHOT.jar" main="true" />
<extension name="Java Help System" href="javahelp.jnlp" />
</resources>
<application-desc
main-class="com.company.testapp.Test" />
</jnlp>
The javahelp.jnlp looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="$$codebase" href="$$name">
<information>
<title>Javahelp</title>
<vendor>Sun Microsystems, Inc.</vendor>
<offline-allowed/>
</information>
<security>
<all-permissions/>
</security>
<offline-allowed/>
<resources>
<jar href="javahelp-2.0.02.jar" main="true"/>
</resources>
<component-desc/>
</jnlp>
This way test-app-1.0-SNAPSHOT.jar can be signed with a different cert chain
than javahelp-2.0.02.jar which comes already signed by our friends at Sun
Microsystems. In fact since it is already signed there is no need to sign it.
If you guys could make the webstart plugin detect an already signed JAR and use
this extension mechanism instead of trying to unsign/sign it then you would be
my heros.
Hope this helps.
> [webstart] deal with already signed jars
> ----------------------------------------
>
> Key: MWEBSTART-1
> URL: http://jira.codehaus.org/browse/MWEBSTART-1
> Project: Maven 2.x Webstart Plugin
> Issue Type: New Feature
> Reporter: Jerome Lacoste
> Assignee: Jerome Lacoste
> Fix For: 1.0-alpha-2
>
> Attachments: handleAlreadySignedJars.diff, MWEBSTART-1-patch.diff,
> MWEBSTART-1-test.sh
>
>
> There are potential issues when dealing with including such already signed
> jars in a webstart application.
> In particular see:
> http://jira.codehaus.org/browse/MOJO-7#action_49160
> and the relevant m1 jnlp issues:
> http://jira.codehaus.org/browse/MPJNLP-20
> http://jira.codehaus.org/browse/MPJNLP-28
> According to the feedback I got on the maven user list, I think that, in
> order to satisfy everybody, we need to:
> - handle already signed jars (MPJNLP-28)
> - primarily we need the possibility to unsign a jar. That will probably go
> to jar:unsign.
> - optionally avoid signing jars that are already signed.
> - optionally clean the Manifest (maven1 jnlp feature, to work around SDK 1.3
> issue - See MPJNLP-20)
> Did I miss something?
> Now how do we present that to the user?
> We could:
> - assume that every jar will be signed by default
> - let the user list the operation to perform, maybe using something like:
> <sign>
> <dname>...</dname>
> ...
> <unsign>
> <dependency>...</dependency>
> </unsign>
> <skipSignedJars>true<skipSignedJars>
> <cleanManifest>true</cleanManifest>
> </sign>
> Does that look correct?
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
