Signed JAR being blocked by Java Security

Question

I'm racking my brains as to why when I'm signing my JAR using a code signing certificate which has been used before, I still get a Java Security Application Blocked dialog which stipulates that my application is self-signed:

However, when I run the jarsigner verify command from a machine that I didn't use to sign the app (replaced actual company name with Acme for anonymity):

jarsigner -verify -certs -verbose RegistrySafeLauncher.jar


s        821 Wed Oct 21 09:25:42 BST 2015 META-INF/MANIFEST.MF

      X.509, CN="Acme Software, Inc.", OU=Acme Software Corp, OU=Digital ID Class 3 - Java Object Signing, O="Acme Software, Inc.", L=Sunnyvale, ST=California, C=US
      [certificate is valid from 11/5/13 12:00 AM to 11/4/16 11:59 PM]
      X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      [certificate is valid from 2/8/10 12:00 AM to 2/7/20 11:59 PM]
      X.509, CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      [certificate is valid from 11/8/06 12:00 AM to 11/7/21 11:59 PM]
      X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
      [certificate is valid from 1/29/96 12:00 AM to 8/3/28 12:59 AM]

         561 Wed Oct 21 09:25:42 BST 2015 META-INF/MYKEY.SF
        5345 Wed Oct 21 09:25:42 BST 2015 META-INF/MYKEY.RSA
           0 Wed Oct 21 09:25:44 BST 2015 META-INF/
           0 Wed Oct 21 09:25:44 BST 2015 registrysafelauncher/
sm      1067 Wed Oct 21 09:25:42 BST 2015 META-INF/INDEX.LIST

      X.509, CN="Acme Software, Inc.", OU=Acme Software Corp, OU=Digital ID Class 3 - Java Object Signing, O="Acme Software, Inc.", L=Sunnyvale, ST=California, C=US
      [certificate is valid from 11/5/13 12:00 AM to 11/4/16 11:59 PM]
      X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      [certificate is valid from 2/8/10 12:00 AM to 2/7/20 11:59 PM]
      X.509, CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      [certificate is valid from 11/8/06 12:00 AM to 11/7/21 11:59 PM]
      X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
      [certificate is valid from 1/29/96 12:00 AM to 8/3/28 12:59 AM]

sm      1441 Wed Oct 21 09:25:44 BST 2015 registrysafelauncher/RegistrySafeLauncher$1.class

      X.509, CN="Acme Software, Inc.", OU=Acme Software Corp, OU=Digital ID Class 3 - Java Object Signing, O="Acme Software, Inc.", L=Sunnyvale, ST=California, C=US
      [certificate is valid from 11/5/13 12:00 AM to 11/4/16 11:59 PM]
      X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      [certificate is valid from 2/8/10 12:00 AM to 2/7/20 11:59 PM]
      X.509, CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      [certificate is valid from 11/8/06 12:00 AM to 11/7/21 11:59 PM]
      X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
      [certificate is valid from 1/29/96 12:00 AM to 8/3/28 12:59 AM]

sm      1765 Wed Oct 21 09:25:44 BST 2015 registrysafelauncher/RegistrySafeLauncher.class

      X.509, CN="Acme Software, Inc.", OU=Acme Software Corp, OU=Digital ID Class 3 - Java Object Signing, O="Acme Software, Inc.", L=Sunnyvale, ST=California, C=US
      [certificate is valid from 11/5/13 12:00 AM to 11/4/16 11:59 PM]
      X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      [certificate is valid from 2/8/10 12:00 AM to 2/7/20 11:59 PM]
      X.509, CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
      [certificate is valid from 11/8/06 12:00 AM to 11/7/21 11:59 PM]
      X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
      [certificate is valid from 1/29/96 12:00 AM to 8/3/28 12:59 AM]


  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Warning: 
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-11-04) or after any future revocation date.

And the manifest file in the built JAR looks like this:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.9.4
X-COMMENT: Main-Class will be added automatically by build
Application-Library-Allowable-Codebase: *.acme.net http://localhost*
Application-Name: RegistrySafeLauncher
Class-Path: lib/jna-4.2.0.jar lib/jna-platform-4.2.0.jar
Permissions: all-permissions
Created-By: 1.7.0_80-b15 (Oracle Corporation)
Caller-Allowable-Codebase: *.acme.net http://localhost*
Main-Class: registrysafelauncher.RegistrySafeLauncher
Codebase: *

Name: registrysafelauncher/RegistrySafeLauncher.class
SHA-256-Digest: lA2UH1iNCFqmNeXTlD/5Gik+DGfkA64F34T3i6ArSEM=

Name: registrysafelauncher/RegistrySafeLauncher$1.class
SHA-256-Digest: kNyCx9f9FwWHAV/Mf4D+9KIJJfFHdcrTUNnEdiXwWmw=

Name: META-INF/INDEX.LIST
SHA-256-Digest: 7A/Nhqqvf7wBQNaAj0actnzwuWocUJv6R8/+QZyURmw=

What am I missing? Am I missing something in my manifest file or is the link to the CA (VeriSign) not right on the machine I'm building on?

****** Later update: ******

After playing around with my jnlp file so that it looks like this:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<jnlp codebase="http://localhost/jnlptestcaller" href="launch.aspx" spec="1.0+">
    <information>
        <title>RegistrySafeLauncher</title>
        <vendor>Acme Software, Inc.</vendor>
        <homepage href=""/>
        <description>RegistrySafeLauncher</description>
        <description kind="short">RegistrySafeLauncher</description>
    </information>
    <update check="background"/>
    <security>
<all-permissions/>
</security>
    <resources>
        <j2se version="1.7+"/>
        <jar href="RegistrySafeLauncher.jar" main="true"/>
        <jar href="lib/jna-4.2.0.jar"/>
        <jar href="lib/jna-platform-4.2.0.jar"/>
    </resources>
    <application-desc main-class="registrysafelauncher.RegistrySafeLauncher">
        <argument>JavaAgent.jnlp.aspx</argument>
    </application-desc>
</jnlp>

I now get this slightly different security warning:

How can I get rid of this warning?

Answer 1

As of Java 7 update 51 self-signed certificates will be blocked.

As the linked page discusses, there are numerous resources for "properly implementing secure practices":

• JAR File Manifest Attributes for Security
• Java SE 7 Security Documentation
• Secure Coding Guidelines for the Java Programming Language

And while this is not a general solution (because you should not expect users to do this), for a quick fix:

you can use the Exception Site list feature to run the applications blocked by security settings. Adding the URL of the blocked application to the Exception Site list allows it to run with some warnings.