-
Bug
-
Resolution: Cannot Reproduce
-
P3
-
None
-
6u10
-
x86
-
windows_xp
FULL PRODUCT VERSION :
jre 1.6.0_14
ADDITIONAL OS VERSION INFORMATION :
Windows xp or Vista
EXTRA RELEVANT SYSTEM CONFIGURATION :
Java web start
A DESCRIPTION OF THE PROBLEM :
I signed jar files using Thawte digital certificate and add a timestamp with TSA to jar files using following:
Jarsigner -tsa https://timestamp.geotrust.com/tsa ...
It works fine before I installed latest jre version 1.6.0_14. The following error message is showing in the java console.
JAR resources in JNLP file are not signed by same certificate
I created a two very simple HelloWorld jar files. Signed them using the same Thawte certificate and also added the timestamp to them. When jnlp launched, the jar files was downloaded successfully, but error popup when java web start verfied applications.
I resigned the two jar files using the same digital certificate without adding timestamp to them. I tried to run the jnlp. Everything is ok fine.
Conclution:
Java Web Start has a bug when verifing the signed jar files that have been added a timestamp to them, since the new jre release.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
created a two very simple HelloWorld jar files. Signed them using the same digital certificate and also add the timestamp to them using following:
Jarsigner -tsa https://timestamp.geotrust.com/tsa ...
When jnlp launched, the jar files was downloaded successfully, but error popup when java web start verfied applications. Following error message was shown in java console:
JAR resources in JNLP file are not signed by same certificate
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No error message popup if the jar files signed by a same digital certificate and add a timestamp to them.
ACTUAL -
JAR resources in JNLP file are not signed by same certificate
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Java Web Start 1.6.0_14
Using JRE version 1.6.0_14-b08 Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\qlin
----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
m: print memory usage
o: trigger logging
p: reload proxy configuration
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
0-5: set trace level to <n>
----------------------------------------------------
Reading certificates from 7122 file:/c:/Test/java/Hello/Hello1.jar | C:\Documents and Settings\qlin\Application Data\Sun\Java\Deployment\cache\6.0\28\2c31719c-78e14bfc.idx
#### Java Web Start Error:
#### JAR resources in JNLP file are not signed by same certificate
JNLPException[category: Launch File Error : Exception: null : LaunchDesc:
<jnlp spec="1.0+" codebase="file:/c:/Test/java/Hello/" version="1.0">
<information>
<title>Omnixx Force SE</title>
<vendor>Datamaxx</vendor>
<homepage href="http://www.datamaxx.com/"/>
<offline-allowed/>
</information>
<security>
<all-permissions/>
</security>
<update check="timeout" policy="always"/>
<resources>
<java initial-heap-size="83886080" max-heap-size="188743680" version="1.6"/>
<jar href="file:/c:/Test/java/Hello/Hello1.jar" download="eager" main="false"/>
<jar href="file:/c:/Test/java/Hello/Hello.jar" download="eager" main="true"/>
</resources>
<application-desc main-class="ShowHello"/>
</jnlp> ]
at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareLaunchFile(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
<?xml version="1.0" encoding="UTF-8" ?>
<jnlp codebase="file:/c:/Test/java/Hello" spec="1.0+" version="1.0">
<information>
<title>Omnixx Force SE</title>
<vendor>Datamaxx</vendor>
<homepage href="http://www.datamaxx.com/" />
<offline-allowed/>
</information>
<update check="timeout" policy="always"/>
<resources>
<java version="1.6" initial-heap-size="80m" max-heap-size="180m"/>
<jar href="Hello1.jar" main="false" download="eager" />
<jar href="Hello.jar" main="true" download="eager"/>
</resources>
<application-desc main-class="ShowHello"/>
<security>
<all-permissions />
</security>
</jnlp>
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Not to add timestamp when sign the jar files
Release Regression From : 6u13
The above release value was the last known release where this
bug was not reproducible. Since then there has been a regression.
jre 1.6.0_14
ADDITIONAL OS VERSION INFORMATION :
Windows xp or Vista
EXTRA RELEVANT SYSTEM CONFIGURATION :
Java web start
A DESCRIPTION OF THE PROBLEM :
I signed jar files using Thawte digital certificate and add a timestamp with TSA to jar files using following:
Jarsigner -tsa https://timestamp.geotrust.com/tsa ...
It works fine before I installed latest jre version 1.6.0_14. The following error message is showing in the java console.
JAR resources in JNLP file are not signed by same certificate
I created a two very simple HelloWorld jar files. Signed them using the same Thawte certificate and also added the timestamp to them. When jnlp launched, the jar files was downloaded successfully, but error popup when java web start verfied applications.
I resigned the two jar files using the same digital certificate without adding timestamp to them. I tried to run the jnlp. Everything is ok fine.
Conclution:
Java Web Start has a bug when verifing the signed jar files that have been added a timestamp to them, since the new jre release.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
created a two very simple HelloWorld jar files. Signed them using the same digital certificate and also add the timestamp to them using following:
Jarsigner -tsa https://timestamp.geotrust.com/tsa ...
When jnlp launched, the jar files was downloaded successfully, but error popup when java web start verfied applications. Following error message was shown in java console:
JAR resources in JNLP file are not signed by same certificate
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No error message popup if the jar files signed by a same digital certificate and add a timestamp to them.
ACTUAL -
JAR resources in JNLP file are not signed by same certificate
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Java Web Start 1.6.0_14
Using JRE version 1.6.0_14-b08 Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\qlin
----------------------------------------------------
c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
m: print memory usage
o: trigger logging
p: reload proxy configuration
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
0-5: set trace level to <n>
----------------------------------------------------
Reading certificates from 7122 file:/c:/Test/java/Hello/Hello1.jar | C:\Documents and Settings\qlin\Application Data\Sun\Java\Deployment\cache\6.0\28\2c31719c-78e14bfc.idx
#### Java Web Start Error:
#### JAR resources in JNLP file are not signed by same certificate
JNLPException[category: Launch File Error : Exception: null : LaunchDesc:
<jnlp spec="1.0+" codebase="file:/c:/Test/java/Hello/" version="1.0">
<information>
<title>Omnixx Force SE</title>
<vendor>Datamaxx</vendor>
<homepage href="http://www.datamaxx.com/"/>
<offline-allowed/>
</information>
<security>
<all-permissions/>
</security>
<update check="timeout" policy="always"/>
<resources>
<java initial-heap-size="83886080" max-heap-size="188743680" version="1.6"/>
<jar href="file:/c:/Test/java/Hello/Hello1.jar" download="eager" main="false"/>
<jar href="file:/c:/Test/java/Hello/Hello.jar" download="eager" main="true"/>
</resources>
<application-desc main-class="ShowHello"/>
</jnlp> ]
at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.LaunchDownload.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareLaunchFile(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
<?xml version="1.0" encoding="UTF-8" ?>
<jnlp codebase="file:/c:/Test/java/Hello" spec="1.0+" version="1.0">
<information>
<title>Omnixx Force SE</title>
<vendor>Datamaxx</vendor>
<homepage href="http://www.datamaxx.com/" />
<offline-allowed/>
</information>
<update check="timeout" policy="always"/>
<resources>
<java version="1.6" initial-heap-size="80m" max-heap-size="180m"/>
<jar href="Hello1.jar" main="false" download="eager" />
<jar href="Hello.jar" main="true" download="eager"/>
</resources>
<application-desc main-class="ShowHello"/>
<security>
<all-permissions />
</security>
</jnlp>
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
Not to add timestamp when sign the jar files
Release Regression From : 6u13
The above release value was the last known release where this
bug was not reproducible. Since then there has been a regression.