Hi,
while launching an applications with signed jar files, OpenWebStart complains with the message "The application's digital signature cannot be verified...". The certificate used to sign the jar files are issued from
CN=thawte SHA256 Code Signing CA - G2
and this is issued from
CN=thawte Primary Root CA - G3
I found, that only the "CN=thawte Primary Root CA - G3" is available in the OpenWebStart trust store. But the code signing CA "CN=thawte SHA256 Code Signing CA - G2" is missing. So OpenWebStart can't verify the trust chain. After downloading the "CN=thawte SHA256 Code Signing CA - G2" from Thawte and imported it, it works.
It would be great if this well known code signing CA from Thawte would be included via default in the OpenWebStart keystore to verify signed jars. Maybe all applications which are signed with a Thwate code signing certificate will have is issue. The manually step to download and import this missing CA may be an issue for OpenWebStart users.
Here are the details of this missing certificate:
Thanks and regards,
Frank
[SOLVED] Thawte code signing issuer CA missing
-
- Posts: 232
- Joined: 27 Mar 2020, 09:55
Re: Thawte code signing issuer CA missing
Hi
Thank you for reporting this.
OpenWebStart does not maintain a curated collection of certificates. Rather it relies on the JVM which brings a default set of certificates.
With our halve year releases (spring and fall) we also update the bundled JVM and thus the included certificates.
But this is only half of the solution. Besides the bundled JVM OpenWebStart will also launch a different JVM for the application. The selected JVM is determined by the JNLP and the configuration of OpenWebStart. As a consequence during the execution of the application the certificates of the selected JVM are available. We do not have any influence on the JVM which is chosen thus cannot control which certificates will be available.
We are happy to hear that you have found a workaround and hope others will find your solution useful if they encounter the same issue.
Thank you for reporting this.
OpenWebStart does not maintain a curated collection of certificates. Rather it relies on the JVM which brings a default set of certificates.
With our halve year releases (spring and fall) we also update the bundled JVM and thus the included certificates.
But this is only half of the solution. Besides the bundled JVM OpenWebStart will also launch a different JVM for the application. The selected JVM is determined by the JNLP and the configuration of OpenWebStart. As a consequence during the execution of the application the certificates of the selected JVM are available. We do not have any influence on the JVM which is chosen thus cannot control which certificates will be available.
We are happy to hear that you have found a workaround and hope others will find your solution useful if they encounter the same issue.
-
- Posts: 758
- Joined: 24 Mar 2020, 13:37
Re: Thawte code signing issuer CA missing
>
After downloading the "CN=thawte SHA256 Code Signing CA - G2" from Thawte and imported it, it works.
>
Just for information, in which JVM's certificate store did you import the above certificate, OWS's bundled JVM or the JVM that you use to run the app?
Thanks
After downloading the "CN=thawte SHA256 Code Signing CA - G2" from Thawte and imported it, it works.
>
Just for information, in which JVM's certificate store did you import the above certificate, OWS's bundled JVM or the JVM that you use to run the app?
Thanks
Re: Thawte code signing issuer CA missing
Hi all,
@Stephan: Thanks for explanation about the certificate handling. It looks like software vendors which sign jar files should try to find a signing certificate from a CA which uses one of the well known root CA's for signing instead of relying on some intermediate signing certificates.
@Janak: I've imported it via OpenWebStart certificate viewer and imported it as a "Trusted Certificate" as "user". The keystore path is shown as /home/<userid>/.config/icedtea-web/security/trusted.certs
Frank
@Stephan: Thanks for explanation about the certificate handling. It looks like software vendors which sign jar files should try to find a signing certificate from a CA which uses one of the well known root CA's for signing instead of relying on some intermediate signing certificates.
@Janak: I've imported it via OpenWebStart certificate viewer and imported it as a "Trusted Certificate" as "user". The keystore path is shown as /home/<userid>/.config/icedtea-web/security/trusted.certs
Frank
-
- Posts: 232
- Joined: 27 Mar 2020, 09:55
Re: Thawte code signing issuer CA missing
We added a section into our guide and into the FAQ:
https://openwebstart.com/docs/OWSGuide. ... rtificates
https://openwebstart.com/docs/FAQ.html#_security
https://openwebstart.com/docs/OWSGuide. ... rtificates
https://openwebstart.com/docs/FAQ.html#_security