Code signing not working

[K-4U]

We've been running the javafx-maven-plugin for a while now, but due to some problems with me having to update java on my new laptop... i couldn't get javafx running anymore, let alone webstart.

Eventually managed to get webstart sorta running, but it doesn't work with the application we use.
I found openwebstart, which is based on icedtea-webstart.

However, your maven plugin doesn't play well with it.

The issue is that "proper" jnlp requires an application-desc tag, rather than an fx:app-desc.
That's easily fixed.

My main concern at this moment is that the plugin says that it's signing all the jars (dependencies) but openwebstart (and jarsigner) say they haven't.

My configuration is as follows, although i honestly have no idea anymore how i generated the keystore. it's been a while:

<plugin>
	<groupId>com.zenjava</groupId>
	<artifactId>javafx-maven-plugin</artifactId>
	<version>8.8.3</version>
	<configuration>
		<!-- for target jfx:web -->
		<title>Application</title>
		<description>DESCRIPTION WITHELD</description>
		<vendor>Haynes-Pro</vendor>
		<appName>app-name</appName>
		<mainClass>com.haynespro.client.AppName</mainClass>
		<!--					<keyStore>${bamboo.keystore_location}</keyStore>-->
		<allPermissions>true</allPermissions>
		<bundleArguments>
			<jnlp.allPermissions>true</jnlp.allPermissions>
			<jnlp.includeDT>true</jnlp.includeDT>
			<jnlp.outfile>app-name</jnlp.outfile>
		</bundleArguments>
		<!-- for target jfx:generate-key-store -->
		<certDomain>10.0.0.52</certDomain>
		<certOrgUnit>Client</certOrgUnit>
		<certOrg>Haynes-Pro</certOrg>
		<certState>Utrecht</certState>
		<certCountry>NL</certCountry>
		<overwriteKeyStore>true</overwriteKeyStore>

		<noBlobSigning>true</noBlobSigning>
		<additionalJarsignerParameters>
			<additionalJarsignerParameter>-storetype</additionalJarsignerParameter>
			<additionalJarsignerParameter>PKCS11</additionalJarsignerParameter>
			<additionalJarsignerParameter>-tsa</additionalJarsignerParameter>
			<additionalJarsignerParameter>http://timestamp.globalsign.com/scripts/timestamp.dll</additionalJarsignerParameter>
			<additionalJarsignerParameter>-providerClass</additionalJarsignerParameter>
			<additionalJarsignerParameter>sun.security.pkcs11.SunPKCS11</additionalJarsignerParameter>
			<additionalJarsignerParameter>-providerArg</additionalJarsignerParameter>
		</additionalJarsignerParameters>
		<bundler>jnlp</bundler>
		<j2seVersion>1.8+</j2seVersion>
	</configuration>
</plugin>

I've been trying loads of things, so this isn't how we used to have it, but i feel there's barely any change to what it does now.

The logs however still do show:

No base JDK. Package will use system JRE.
No base JDK. Package will use system JRE.
[INFO] Permissions requested, signing JAR files for webstart bundle
Signing (BLOB) /Users/k.beckers/repositories/edm-client/target/jfx/web/app-name-2.0.1-jfx.jar
Signing (BLOB) /Users/k.beckers/repositories/edm-client/target/jfx/web/lib/fontawesomefx-8.9.jar

Any insight you can give me to what i'm doing wrong would be really amazing. Thank you in advance :)

[FibreFoX]

At first glance I would say that maven is not configured to use the right JDK. What does mvn -v print out?

[K-4U]

Maven home: /Users/k.beckers/Library/Application Support/JetBrains/Toolbox/apps/IDEA-U/ch-0/211.7142.45/IntelliJ IDEA.app/Contents/plugins/maven/lib/maven3
Java version: 1.8.0_292, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre
Default locale: en_NL, platform encoding: UTF-8
OS name: "mac os x", version: "10.16", arch: "x86_64", family: "mac"

Process finished with exit code 0

I had to run it in intellij because that's what i always do.
That said, apparently i have no JAVA_HOME variable... It's been a long two days

[FibreFoX]

IntelliJ, as far as I am aware, brings its own JRE, but maven needs some JDK. I'm using Netbeans (hehe) but I encountered that more often that users were not aware of the bundled JRE of IntelliJ making "big surprises" sometimes.

Regarding the AZUL JDK, I'm not yet testing with other JDKs .... I'm kinda working on getting back to JDK-development in the background (with my local gitlab instance), will take that on my "todo"-list.

[K-4U]

Hmm, after talking it over with a coworker, it seems that we don't actually have a valid code-signing certificate (i was under the impression that we did).

Using jarsigner i've verified that that jars weren't actually signed, however i'm not sure if that can distinguish between a self-signed certificate or an unsigned jar.

[FibreFoX]

Despite of jarsigner, you could look into the generated JAR-file, if the signing-files inside the META-INF folder do exist.

[FibreFoX]

@K-4U Did you get the chance to check for the signature inside the generated JAR-files?

Meanwhile I am trying to get some Dockerfile setup working to test against Zulu JDK ... if you have any hint how to get a running ZuluFX setup inside Docker, it would really be very appreciated.

[FibreFoX]

I tried using a debian:buster docker image with https://cdn.azul.com/zulu/bin/zulu8.56.0.21-ca-fx-jdk8.0.302-linux_amd64.deb being installed (Zulu.8.56.0.21 with JavaFX ... sadly only available as DEB package instead of prebuilt docker-image), I did not encounter any problem building the javafx-maven-plugin, which does container using the jarsigner-command with generate-keystore goal ... right now I can not find any problem.

Will wait until some feedback from our side.