It looks like there has been a change by Oracle similar to Java 7u45, where new manifest values needed to be set to run signed Java Webstart applications (see here).
Currently our signed application working with Java 8u131 does not start with Java8u141 with error message Could not verify signing in resource: (arbitrary resource.jar)
Can you still run your signed Webstart application with Java 8u141, i.e. do I have a special problem?
In the release notes is a note to security changes, but they don't look related to code signing. Also crypto roadmap looks like this release has not really changed code signing, despite Java 8u131 for example, where MD5 support was removed. But Java 8u131 is working for me and Maven Java Webstart Plugin also uses SHA-256-Digest.
Oracle has announced that Java Applet and WebStart functionality, including the Applet API, The Java plug-in, the Java Applet Viewer, JNLP and Java Web Start (containing the javaws tool) are all deprecated in JDK 9 and will be removed in a future release.
I have found a solution or more exactly a work-around to the problem. The jar in question was in our case the commons-httpclient-3.1.jar. The manifest contains the following entry
Name: org/apache/commons/httpclient
I added a / at the end and then I signed and re-deployed the application.
Name: org/apache/commons/httpclient/
This time the web start application started without any issues. In both cases the jar was signed with java 8u141, the jarsigner could verify the jar, but the webstart did not start in the first case. In my opinion this is a webstart bug.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With