Applet is no longer signed after repackaging signed .cab files as .jar files


Symptoms

After repackaging signed .cab files as .jar files, an applet running in the Sun JRE is treated as unsigned. The same applet packaged as .cab files runs as signed in the Microsoft VM.

Cause

Microsoft supports applet signing through its own proprietary Authenticode and .cab file technologies. The signing information is lost in the process of repackaging. As a result, the Sun JVM treats the .jar files as unsigned.

Resolution

The workaround is to sign the .jar files using the jarsigner tool from the JDK:

  1. Obtain the Sun Java Signing certificate from VeriSign or the Java Code Signing certificate from Thawte or similar certificates from other Certificate Authorities (CAs).
  2. Import the certificate into your keystore using keytool and an alias name. For example:
  3. C:\>C:\j2sdk1.5\bin\keytool -import -alias MyCert -file VSSStanleyNew.cer 
  4. Use jarsigner to sign the .jar file, using the RSA credentials in your keystore that were generated in the previous step. Make sure the same alias name is specified, for example:
  5. C:\>C:\j2sdk1.5\bin\jarsigner C:\TestApplet.jar MyCert
    Enter Passphrase for keystore: ********
  6. Use "jarsigner -verify -verbose -certs" to verify the .jar files.
    C:>C:\jdk1.4.2\bin\jarsigner -verify -verbose 
                    -certs d:\TestApplet.jar
    
    
             245 Wed Mar 10 11:48:52 PST 2000 META-INF/manifest.mf
             187 Wed Mar 10 11:48:52 PST 2000 META-INF/MYCERT.SF
             968 Wed Mar 10 11:48:52 PST 2000 META-INF/MYCERT.RSA
    smk      943 Wed Mar 10 11:48:52 PST 2000 TestApplet.class
    smk      163 Wed Mar 10 11:48:52 PST 2000 TestHelper.class
    
          X.509, CN=XXXXXXX YYY, OU=Java Software, 
                    O=Sun Microsystems, L=Cupertino, 
                    ST=CA, C=US (mycert)
          X.509, CN=Sun Microsystems, OU=Java Plug-in QA, 
                    O=Sun Microsystems, L=Cupertino, ST=CA, C=US
          X.509, EmailAddress=server-certs@thawte.com, 
                    CN=Thawte Server CA, OU=Certification 
                    Services Division, O=Thawte Consulting cc, 
                    L=Cape Town, ST=Western Cape, C=ZA
    
    
      s = signature was verified
      m = entry is listed in manifest
      k = at least one certificate was found in keystore
      i = at least one certificate was found in identity scope
    
    jar verified.

Related Information

        See Code Signing by VerSign and code-signing certificate support by Thawte.