JSAMP 1.3-3 release

Mark Taylor m.b.taylor at bristol.ac.uk
Wed Oct 31 03:01:08 PDT 2012


Laurent,

you're welcome to re-package or re-sign these classes however suits
you, but note that the signing certificate used in the distributed
JSAMP jar file has a well-known root authority (I had to pay money
for this), and I don't think that's the case for the JMMC signed jars,
which are effectively self-signed.  This means that browsers and
WebStart will treat the JSAMP jar as more trustworthy.
Probably once the JSAMP jar is combined in an application with other
jar files, any such trust is lost.

I really had this in mind just as an advantage for people who want
to run a JSAMP hub from JNLP (using just the JSAMP jar file),
I'm not expecting it to make any difference if JSAMP is used as
part of a larger application.

I still have a somewhat hazy idea of the way all this security
business works though, so there may be implications I haven't
thought through.  In particular, if it would be useful for me
to provide an unsigned jar file alongside the signed one, I can
do that (though of course it's easy enough to do it yourself
by just unjarring and then rejarring the contents).

Mark

On Wed, 31 Oct 2012, Laurent Bourgès wrote:

> Thanks a lot !
> 
> I will test your signed jar file as we encountered several times
> problems with signed jars:
> as JMMC applications are also signed with our own JMMC certificate (to
> grant privileges), third party libraries must be also signed also with
> our JMMC (multiple signatures).
> 
> If I remember well, Java Web Start implementation on mac platform are
> very sensitive to this issue.
> 
> Two solutions:
> - sign the signed jsamp jar file with the provider certificate
> (multiple signatures)
> - extract the jar file content and create a new jar file signed with
> the provider certificate
> 
> If anybody encountered also such problems, please give me advices or
> feedback in response.
> 
> Regards,
> Laurent
> 
> 2012/10/30 Mark Taylor <m.b.taylor at bristol.ac.uk>:
> > Hi all,
> >
> > this is to announce the release of JSAMP v1.3-3, which you can
> > find at:
> >
> >    http://software.astrogrid.org/doc/jsamp/
> >
> > This is mostly a bugfix release, details in the change log at
> > http://software.astrogrid.org/doc/p/jsamp/1.3-3/history.html#Version_1_3-3.
> > The bugs are mostly fairly minor.
> >
> > Thanks to Laurent Bourges and Sylvain Lafrasse at JMMC who provided
> > a lot of help in tracking down and providing fixes for bugs.
> >
> > The other notable thing is that the distributed jar file is
> > now signed with a Thawte code-signing certificate.  Since the
> > relevant authority is installed in JREs (and/or?) browsers,
> > that means that if you use it with an appropriate JNLP file
> > to start a hub running, WebStart will not complain about being
> > unable to verify the identity of the publisher.  This makes it
> > that bit more straightforward/less scary for users to launch
> > a SAMP hub.
> >
> > Mark
> >
> > --
> > Mark Taylor   Astronomical Programmer   Physics, Bristol University, UK
> > m.b.taylor at bris.ac.uk +44-117-9288776  http://www.star.bris.ac.uk/~mbt/
> 

--
Mark Taylor   Astronomical Programmer   Physics, Bristol University, UK
m.b.taylor at bris.ac.uk +44-117-9288776  http://www.star.bris.ac.uk/~mbt/


More information about the apps mailing list