jar resources in jnlp are not signed by the same certificate

Question

I've been working with web start for a couple years now and have experience with signing the jars and what not. I am taking my first attempt at deploying a RCP app with web start and though I have in fact signed all of the jars with the same certificate I keep getting this error: 'jar resources in jnlp are not signed by the same certificate'

Has anyone else came across this? If so, any ideas on how to fix?

Answer 1

When I had similar problems after checking the jars it turned out that some 3rd party jar was signed by someone else.

You should create a separate jnlp file for the jars signed by the other certificate and read this jnlp from your jnlp file:

<resources>
  ...
  <extension name="other" href="other.jnlp"/>
</resources>

Here or here you can find an example.

Answer 2

This may be a stale manifest entry from an already signed jar that you use as a library. I encountered this problem with jogl via webstart. Try this:

Unzip all jars, purge all META-INF directories, jar and sign them again.

Answer 3

I've found that JNLP/Webstart does not like multiple signatures/signing via jarsigner.exe for a given JAR. If a JAR such as BouncyCastle (which comes presigned) is signed again with your Company's certificate, visual inspection leads me to believe that the new Certificate and Signatures are performed properly in the JAR. but that JNLP may be reading only the first (Alphabetical?) signature in the META-INF, and thereby complaining it doesn't match your other JARs (which have only one, Corporate, signature on each JAR).

Answer 4

I had the exact same experience as described by Matthew with the presigned BouncyCastle JARs. However, I found that JRE version 1.6.0_14 and later will gladly accept JARs with multiple signatures (as I would expect). Hence, I did not need to use the JNLP 'component extension mechanism' described above.

PS Did not find any obvious references to this fix in the 1.6.0_14 release notes. However, I have verified that multiple signed JARs works in all later versions (at least 14 - 17 + 24).

Answer 5

See the explanation for one of the FAQ: How do I use multiple JAR files signed by different certificates?

Right solution.

Answer 6

The following script lists serial number of the RSA certificate in each jar in /some/lib directory and helps to find jars that are signed by the wrong certificate:

for f in $( find /some/lib -type f -name '*.jar' )
do 
   serial=$( unzip -p $f 'META-INF/*.RSA' | 
             openssl pkcs7 -inform der -print -noout |
             grep --max-count=1 serialNumber | cut -d: -f2- | tr -d ' ' )
   printf "%40s: %s\n" "$serial" "$f"
done

Answer 7

In my project, what happened is that there are couple of instances in the load balancer pool, there are some instances with old version of code and some with new version. Thus there are certificates not signed by same certificate...