Partially multiply signed jars
I'm reusing jars from a provider that signs them, and I'm also building my own jars that I'm signing.
I would like to know which one of the following scenario should work:
a) My application has my jars signed by me, the provider jars are pre-signed.
b) My application has my jars signed by me, and the provider jars contain the original signature and my signature.
c) My application has my jars signed by me, and the provider jars have been unsigned and re-signed by me.
From my experiments, only the case c) works, am I missing something obvious?
Thx
# 3
You would have to use their -sig alias to overwrite it, but what's the point ?
You can just open the .jar file with a zip/rar/7zip archiver and delete the Manifest with the 3rd party signature, then sign it with yours. (if you want to get rid of their signature).
Multiple signatures is supposed to work, even though i've never succesfully done it, it just claims my app has not been signed with the same certificate.
# 4
> Normal method would be to include the third party
> signed jar in a seperate component extension.
I have seen a form* of that, that work (well) with the
Saverbeans screensavers that used JOGL. The
JOGL classes require full trust and are signed.
We (as developers using the JOGL extension)
can launch 'no-permissions' unsigned, jars
in our main JNLP without any problems.
(* I am guessing this is a similar situation to if
the main JNLP requested extended privileges,
but was signed by a different identity.)
# 5
My app has the following structure:
main.jnlp
| extension1.jnlp
| extension2.jnlp
All the jars contained in extension2.jnlp are signed by X and Y
All the jars contained in extension1.jnlp are signed by Y
The main file only contains one jar which is signed by X and Y (see discussion thread titled Main class not found).
Unfortunately this does not work.
The only combination I have working is where all the jars signed by Y (since I can't sign with X signature).
