Pivot
  1. Pivot
  2. PIVOT-500

JNLP demos that use signed JARs fail to launch

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Not a Problem
    • Affects Version/s: None
    • Fix Version/s: 2.0.1
    • Component/s: demos
    • Labels:
      None

      Description

      The exception in the Web Start console doesn't offer much help:

      java.lang.NullPointerException
      at java.util.jar.JarVerifier.mapSignersToCodeSource(JarVerifier.java:497)
      at java.util.jar.JarVerifier.mapSignersToCodeSources(JarVerifier.java:509)
      at java.util.jar.JarVerifier.getCodeSources(JarVerifier.java:827)
      at java.util.jar.JarFile.getCodeSources(JarFile.java:622)
      at java.util.jar.JavaUtilJarAccessImpl.getCodeSources(JavaUtilJarAccessImpl.java:25)
      at com.sun.deploy.cache.DeployCacheJarAccessImpl.getCodeSources(DeployCacheJarAccessImpl.java:60)
      at com.sun.javaws.security.SigningInfo.getCommonCodeSignersForJar(SigningInfo.java:382)
      at com.sun.javaws.security.SigningInfo.check(SigningInfo.java:291)
      at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(LaunchDownload.java:1498)
      at com.sun.javaws.LaunchDownload.checkSignedResources(LaunchDownload.java:1268)
      at com.sun.javaws.Launcher.prepareResources(Launcher.java:1222)
      at com.sun.javaws.Launcher.prepareAllResources(Launcher.java:624)
      at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:332)
      at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:204)
      at com.sun.javaws.Launcher.launch(Launcher.java:121)
      at com.sun.javaws.Main.launchApp(Main.java:418)
      at com.sun.javaws.Main.continueInSecureThread(Main.java:255)
      at com.sun.javaws.Main$1.run(Main.java:115)
      at java.lang.Thread.run(Thread.java:637)

        Issue Links

          Activity

          Hide
          Noel Grandin added a comment -

          Are you using the JNLP compressor?

          I seem to remember there is some weird interaction between the two, which requires an extra step in the build process. I'll try and dig it out of my old project build files tomorrow.

          Show
          Noel Grandin added a comment - Are you using the JNLP compressor? I seem to remember there is some weird interaction between the two, which requires an extra step in the build process. I'll try and dig it out of my old project build files tomorrow.
          Hide
          Sandro Martini added a comment -

          Hi,
          if you are you using the JNLP compressor I remember something related to jar signing, that should be done with a repack option after the compression, or something like this ...

          And another small thing, are you sure that our signing certificate (under etc) is not expired ?
          Last year we had a similar issue ... so in any case could be useful to renew the expiring date on our (self-signed) certificate.

          Bye,
          Sandro

          Show
          Sandro Martini added a comment - Hi, if you are you using the JNLP compressor I remember something related to jar signing, that should be done with a repack option after the compression, or something like this ... And another small thing, are you sure that our signing certificate (under etc) is not expired ? Last year we had a similar issue ... so in any case could be useful to renew the expiring date on our (self-signed) certificate. Bye, Sandro
          Hide
          Greg Brown added a comment -

          I believe the latest version of the cert is configured not to expire.

          Show
          Greg Brown added a comment - I believe the latest version of the cert is configured not to expire.
          Hide
          Sandro Martini added a comment -

          Doing a build of Trunk with JDK 6 Update 18 (the best should be to try with the Update 20, but at the moment I haven't time to remove and reinstall it), ant the latest ant-1.8.1, during the sign of any jar i get this warning from ant:

          [signjar]
          [signjar] Warning:
          [signjar] The signer certificate will expire within six months.

          so probably our (self-signed) certificate could have some problem (and since Java 6 Update 19 I have seen something has changed on this, to have a more secure runtime).

          I'll try to generate a new one, sign jars, etc and see what happens with out jnlp demos.

          Show
          Sandro Martini added a comment - Doing a build of Trunk with JDK 6 Update 18 (the best should be to try with the Update 20, but at the moment I haven't time to remove and reinstall it), ant the latest ant-1.8.1, during the sign of any jar i get this warning from ant: [signjar] [signjar] Warning: [signjar] The signer certificate will expire within six months. so probably our (self-signed) certificate could have some problem (and since Java 6 Update 19 I have seen something has changed on this, to have a more secure runtime). I'll try to generate a new one, sign jars, etc and see what happens with out jnlp demos.
          Hide
          Sandro Martini added a comment -

          Get some info from the certificate, this is the command and related output:

          pivot_trunk\etc>keytool -list -v -keystore "pivot.keystore"
          Immettere la password del keystore:

          Tipo keystore: JKS
          Provider keystore: SUN

          Il keystore contiene 1 entry

          Nome alias: pivot
          Data di creazione: 13-ott-2009
          Tipo di voce: PrivateKeyEntry
          Lunghezza catena certificati: 1
          Certificato[1]:
          Proprietario: CN=Apache Pivot, OU=Apache Incubator, O=Apache Software Foundation
          , L=Cambridge, ST=MA, C=US
          AutoritÓ emittente: CN=Apache Pivot, OU=Apache Incubator, O=Apache Software Foun
          dation, L=Cambridge, ST=MA, C=US
          Numero di serie: 4ad4591f
          Valido da: Tue Oct 13 12:40:31 CEST 2009 a: Wed Oct 13 12:40:31 CEST 2010
          Impronte digitali certificato:
          MD5: 0D:2C:7C:B8:06:B6:C9:5C:9D:76:D0:0B:A8:AE:F9:E8
          SHA1: C0:A9:C5:69:6B:86:CB:5B:1A:A3:80:B3:F0:7D:08:C5:D7:48:E9:88
          Nome algoritmo firma: SHA1withRSA
          Versione: 3

          *******************************************
          *******************************************

          I think we should re-generate it, at least to remove the "Apache Incubator" ... and give it more days of validity.

          Show
          Sandro Martini added a comment - Get some info from the certificate, this is the command and related output: pivot_trunk\etc>keytool -list -v -keystore "pivot.keystore" Immettere la password del keystore: Tipo keystore: JKS Provider keystore: SUN Il keystore contiene 1 entry Nome alias: pivot Data di creazione: 13-ott-2009 Tipo di voce: PrivateKeyEntry Lunghezza catena certificati: 1 Certificato [1] : Proprietario: CN=Apache Pivot, OU=Apache Incubator, O=Apache Software Foundation , L=Cambridge, ST=MA, C=US AutoritÓ emittente: CN=Apache Pivot, OU=Apache Incubator, O=Apache Software Foun dation, L=Cambridge, ST=MA, C=US Numero di serie: 4ad4591f Valido da: Tue Oct 13 12:40:31 CEST 2009 a: Wed Oct 13 12:40:31 CEST 2010 Impronte digitali certificato: MD5: 0D:2C:7C:B8:06:B6:C9:5C:9D:76:D0:0B:A8:AE:F9:E8 SHA1: C0:A9:C5:69:6B:86:CB:5B:1A:A3:80:B3:F0:7D:08:C5:D7:48:E9:88 Nome algoritmo firma: SHA1withRSA Versione: 3 ******************************************* ******************************************* I think we should re-generate it, at least to remove the "Apache Incubator" ... and give it more days of validity.
          Hide
          Greg Brown added a comment -

          The issue with Ant 1.8 is captured in PIVOT-502.

          I agree that we should regenerate the cert and remove the Incubator reference, but I'm not sure that will resolve the problem. I'm guessing that the new security settings in J6u20 will prevent us from using any self-signed certificate, regardless of age, but I could be wrong about that. Either way, the long-term fix is probably to get a valid cert. In the meantime, I think we should just pull the JNLP links to the signed apps.

          Show
          Greg Brown added a comment - The issue with Ant 1.8 is captured in PIVOT-502 . I agree that we should regenerate the cert and remove the Incubator reference, but I'm not sure that will resolve the problem. I'm guessing that the new security settings in J6u20 will prevent us from using any self-signed certificate, regardless of age, but I could be wrong about that. Either way, the long-term fix is probably to get a valid cert. In the meantime, I think we should just pull the JNLP links to the signed apps.
          Hide
          Sandro Martini added a comment -

          Hi Greg,
          before to hide (temporary) the signed demos form the page, I'm trying to better understand where the problem is.
          The expiring on the certificate is only a warning, so it' isn't it the problem, but should be re-generated before the 1.5 release, tell me if you want that I'd make it.

          Can you explain better in which cases it gives you the error ?
          I've just tried to execute many JNLP from the pivot-demos.war (just re-generated from pivot trunk) from a local Tomcat, but all works good in my environment (and with JRE 6 Update 20, on Windows 7).

          I've read something related to the recent change in JRE 6 Update 19 and seems that should be Web Start to raise problems if there is/there isn't the security inside jnlp files, or something like this ... too many outdated or partial docs, I'm trying to see if this could be the problem.
          For example, some fresh infos here: http://forums.sun.com/thread.jspa?threadID=5435627

          Let's update soon on this.

          Bye

          Show
          Sandro Martini added a comment - Hi Greg, before to hide (temporary) the signed demos form the page, I'm trying to better understand where the problem is. The expiring on the certificate is only a warning, so it' isn't it the problem, but should be re-generated before the 1.5 release, tell me if you want that I'd make it. Can you explain better in which cases it gives you the error ? I've just tried to execute many JNLP from the pivot-demos.war (just re-generated from pivot trunk) from a local Tomcat, but all works good in my environment (and with JRE 6 Update 20, on Windows 7). I've read something related to the recent change in JRE 6 Update 19 and seems that should be Web Start to raise problems if there is/there isn't the security inside jnlp files, or something like this ... too many outdated or partial docs, I'm trying to see if this could be the problem. For example, some fresh infos here: http://forums.sun.com/thread.jspa?threadID=5435627 Let's update soon on this. Bye
          Hide
          Greg Brown added a comment -

          Click on the Stock Tracker JNLP link on this page:

          http://ixnay.biz/pivot-demos/

          Does it work for you? Using J6u20 in Mac OS X and Windows XP, I get the exception shown in the original bug report.

          Show
          Greg Brown added a comment - Click on the Stock Tracker JNLP link on this page: http://ixnay.biz/pivot-demos/ Does it work for you? Using J6u20 in Mac OS X and Windows XP, I get the exception shown in the original bug report.
          Hide
          Sandro Martini added a comment -

          Hi Greg,
          as you can see I've just tried to execute it also on another PC (Win XP sp3 and Java 6 Update 20), and all works.

          I've also tried a second run closing (and emptying browser and Java cache), and removing the Apache Pivot Certificate from the Java Control Panel, and also in this case all works good.

          Have you tried to remove by hand the certificate in your environments ?

          Tell me if you need more tests.

          Bye,
          Sandro

          Show
          Sandro Martini added a comment - Hi Greg, as you can see I've just tried to execute it also on another PC (Win XP sp3 and Java 6 Update 20), and all works. I've also tried a second run closing (and emptying browser and Java cache), and removing the Apache Pivot Certificate from the Java Control Panel, and also in this case all works good. Have you tried to remove by hand the certificate in your environments ? Tell me if you need more tests. Bye, Sandro
          Hide
          Greg Brown added a comment -

          I think we're going to need some more data points on this. I don't see a Pivot cert in my Java Control Panel in XP, and I haven't even been able to find a way to view certs in OS X. In either case, I'm not sure this is something we want to have to ask our users to do.

          Show
          Greg Brown added a comment - I think we're going to need some more data points on this. I don't see a Pivot cert in my Java Control Panel in XP, and I haven't even been able to find a way to view certs in OS X. In either case, I'm not sure this is something we want to have to ask our users to do.
          Hide
          Greg Brown added a comment -

          The JNLP links have been temporarily removed from the demos index page to work around this issue. However, we should attempt to resolve this properly in a later release.

          Show
          Greg Brown added a comment - The JNLP links have been temporarily removed from the demos index page to work around this issue. However, we should attempt to resolve this properly in a later release.
          Hide
          Greg Brown added a comment -

          This appears to be a known issue. See bug #6943522:

          http://download.java.net/jdk6/6u21/promoted/b04/changes/JDK6u21.b04.list.html

          Show
          Greg Brown added a comment - This appears to be a known issue. See bug #6943522: http://download.java.net/jdk6/6u21/promoted/b04/changes/JDK6u21.b04.list.html
          Hide
          Sandro Martini added a comment -

          Hi,
          this is related to a Java bug (update 19 or 20), to be fixed in Update 21 ... so what do you think on re-enabling this part for the 1.5.1 release ?
          Or at least Web Start demos not requiring signed jars ?

          I can do it, tell me.

          Bye,
          Sandro

          Show
          Sandro Martini added a comment - Hi, this is related to a Java bug (update 19 or 20), to be fixed in Update 21 ... so what do you think on re-enabling this part for the 1.5.1 release ? Or at least Web Start demos not requiring signed jars ? I can do it, tell me. Bye, Sandro
          Hide
          Greg Brown added a comment -

          I'd prefer to wait until update 21 is available before re-enabling the JNLP links.

          Show
          Greg Brown added a comment - I'd prefer to wait until update 21 is available before re-enabling the JNLP links.
          Hide
          Sandro Martini added a comment -

          Hi to all,
          someone prefer to do this instead of me (for example Todd who creates the xslt stuff, or Greg, or others too) ?
          Otherwise I'll start to look at it, using old sources (Pivot 1.4 if I remember well) of pages, as a reference to see how/what to do.

          Note:
          I'm also thinking on a little review of the generated demos page, but before changing it I'll post here a test mockup.

          Bye,
          Sandro

          Show
          Sandro Martini added a comment - Hi to all, someone prefer to do this instead of me (for example Todd who creates the xslt stuff, or Greg, or others too) ? Otherwise I'll start to look at it, using old sources (Pivot 1.4 if I remember well) of pages, as a reference to see how/what to do. Note: I'm also thinking on a little review of the generated demos page, but before changing it I'll post here a test mockup. Bye, Sandro
          Hide
          Greg Brown added a comment -

          Update 21 is still not available on OS X, so I'd prefer to hold off on this fix (or figure out a way to hide the links for Mac browsers - prob. not worth the effort).

          Show
          Greg Brown added a comment - Update 21 is still not available on OS X, so I'd prefer to hold off on this fix (or figure out a way to hide the links for Mac browsers - prob. not worth the effort).
          Hide
          Sandro Martini added a comment -

          I agree with Greg, so postpone this feature (caused by a JRE Bug in Update 19 or 20, and resolved by the Update 21) to our 2.1 release, and see later what to do.

          Show
          Sandro Martini added a comment - I agree with Greg, so postpone this feature (caused by a JRE Bug in Update 19 or 20, and resolved by the Update 21) to our 2.1 release, and see later what to do.
          Hide
          Sandro Martini added a comment -

          Postpone to 2.1 because JNLP links should be re-enabled in that release.

          Show
          Sandro Martini added a comment - Postpone to 2.1 because JNLP links should be re-enabled in that release.
          Hide
          Sandro Martini added a comment -

          This was a problem in Java 6 Update 19 and 20 (and if I remember well, only when jar caching was disabled), fixed by Update 21 and later, so now it's safe to close it (currently we have Java 6 Update 24).

          Show
          Sandro Martini added a comment - This was a problem in Java 6 Update 19 and 20 (and if I remember well, only when jar caching was disabled), fixed by Update 21 and later, so now it's safe to close it (currently we have Java 6 Update 24).

            People

            • Assignee:
              Sandro Martini
              Reporter:
              Greg Brown
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development