[
http://jira.codehaus.org/browse/MNBMODULE-50?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jesse Glick closed MNBMODULE-50.
--------------------------------
Resolution: Won't Fix
Currently {{MakeJNLP}} does not pass {{force="true"}} to {{SignJar}}, so a fix
would need to wait until the next NB release when a new version of the harness
can be bundled.
But I am not convinced that is the correct fix anyway. If some incoming JARs
already have signatures, it is generally preferable to leave that signature
alone. The user must accept that certificate authority if they have not done so
already, but as for the main publisher of the app, this is a one-off acceptance
(and can be reused for other components). And this is what the harness already
does: {{MakeJNLP}} checks for extension JARs which are already signed, and
copies them unmodified to the output, with a separate {{*.jnlp}} file.
> Signing of already signed jars for Java Webstart application
> ------------------------------------------------------------
>
> Key: MNBMODULE-50
> URL: http://jira.codehaus.org/browse/MNBMODULE-50
> Project: Maven NetBeans Module Plugin
> Issue Type: Improvement
> Affects Versions: 3.0
> Environment: All
> Reporter: Pavel Jisl
> Assignee: Jesse Glick
>
> For releasing webstart applications is crucial to have all jars included
> signed with one certificate of the releasing company. If these jars are not
> signed with one unified certificate, Java Webstart system asks for each
> unsigned (or jar with another signature) if user agrees and grants access to
> the system.
> For this case, we need to sign all jars, included in package, with one
> certificate. As we looked into source code of this plugin, one part of
> signing is in org.netbeans.nbbuild.MakeJNLP#signOrCopy(from, to), another in
> CreateWebstartAppMojo (for jnlp-launcher.jar and branding jars). As all these
> uses the ant SignJar task, we submit issue with patch, allowing us to force
> signing of jars (see
> https://issues.apache.org/bugzilla/show_bug.cgi?id=46891). But we are not
> sure, if this will be accepted, because solving of issues in ant is really
> slow.
> Another solution is usage of Maven Jar Plugin. But this plugin denied to sign
> already signed jar. In this case, we must submit patch, allowing us to force
> signing of already signed jars. But there is problem with the MakeJNLP task.
> Using this solution, we must disable signing of jars in MakeJNLP and sign
> jars programmatically using JarSignMojo from Maven Jar Plugin.
> We can see, that the first solution with modification of SignJar task is more
> complex as it solves problems with signing in both MakeJNLP task and
> CreateWebstartAppMojo, but we can expected long delay before the patch will
> be accepted (or worst - rejected). Another solution is not so conceptual, but
> maybe more clear.
> As last instance, we can also contribute modified JarSignMojo class from
> Maven Jar Plugin , that was used in our corporate modified Maven NBM plugin
> 2.7 for creating webstart application. This must be also used programatically
> as the previous solution directly using Maven Jar Plugin.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
