Self-sign a Java Applet jar archive

The new Java permissions are a painful necessity. Very well, but the implementation is... very complicated. Well, that was in response to the many different security needs.

In all the ruckus, I couldn't find a succinct guide to making simple, safe Java Applets that run as before in a sandbox -- that is, with no access to local resources, and with communications only to the originating server, so no worry for the user. And I saw lots of other people asking the same question, and getting answers that worked only partially at best.

So here is the procedure I pieced together. It's not all that hard for a programmer to do, and results in relatively little annoyance for the user.

The user is warned that the applet is self-signed, and that they should run such programs only from web sites they trust. They are given the ability to run the applet, and to remember that decision, so in principle they can run the applet repeatedly, seeing only one initial warning.

It escapes me how an applet running in a sandbox over a secure connection would constitute a threat, and merit any warning at all. It also escapes me how signing would make it safe to give a program access to a user's hard disk. These are questions for greater minds than mine.

Three steps

jar manifest line
Permissions: sandbox
HTML applet tag parameter
<param name="permissions" value="sandbox"/>
sign jar file
rather complicated. read on.

Signing the jar file.

make a self-signed keystore file.

I did this in Linux using the Java JDK command keytool:

keytool -genkey -v -keystore my.keystore -alias my_domain \
-keyalg RSA -validity 10000

Just make up a password, answer the questions as well as possible. The domain has to match the domain of the applet packages I think.

generate a signed jar file using the keystore

I made rules in my ant build.xml file:

        <signjar destDir="signed"
                alias="my_domain"
                keystore="signing/my.keystore"
                storepass="1fora11"
                preservelastmodified="true"
                sigalg="MD5withRSA"
                digestalg="SHA1"
                tsaurl="http://timestamp.digicert.com"
                >
                <path>
                        <fileset dir="." includes="*.jar" />
                </path>
                <flattenmapper />
        </signjar>
	

This gets the jar file from the current path and puts the signed file in destDir. Alter destDir, alias and keystore to find and match the keystore file.

I put the above rules in an ant target:

	<target name="sign" depends="compile">
		<signjar ...
	</target>
	

so after building a the jar file, I just type ant sign, and the signed jar appears in the directory signed/.