run openwebstart and avoid the "unidentified developer"

The public knowledge pool and discussion forum of the OWS community. Do not post confidential information here!
Posts: 8
Joined: 02 Aug 2020, 13:05

run openwebstart and avoid the "unidentified developer"

Post by douglaslyon »

Hi All,
I was wondering if anyone has overcome the problem of running open webstart on the mac
and avoiding the message "unidentified developer"?
When I sign a webstart application and run it with open webstart, I use
a cert that was issued by a well known CA.

However, when running the program the macosx gateway says that this
application is from an "unknown developer".
""application.jnlp" can't be opened because it is from an unidentified developer."

sudo spctl –master-disable
defeats the gateway, but is a miserable way to deploy applications
so is going to the "security and privacy" control panel and clicking on "open anyway".
Apple Tech Support :

Unidentified developer" means a source other than the Mac App Store or a Developer ID-identified developer. Note that Java applets cannot participate in the Developer ID program.

however, I saw:
"You can use the codesign utility to sign the JNLP file, which will attach the code signature to the JNLP file as extended attributes. To preserve these attributes, package the JNLP file in a ZIP, XIP, or DMG file. Be careful using the ZIP format, as some third-party tools might not capture the required extended attributes correctly."

To which I respond "yuck!". If I have to bundle a jnlp file into a dmg
then I have defeated the "click and run" property of the webstart framework.

One person says:
Thanks, I've eventually resorted to creating a proper app bundle that invokes javaws If the jnlp file can no longer be executed automatically upon download there is no point keeping it, even if it's zipped with its code signing attributes. An app bundle has some benefits over the zipped jnlp: 1. it's more familiar to Mac users, 2. it displays the application icon, and 3. there is no need to re-sign it when the jnlp file evolves

Here is a simple example of a jnlp file. ... .Main.jnlp

I am at my wits end on this one...any ideas? I was thinking about
deploying an app to the app store that enables the downloading and
running of webstart applications, however, I don't think Apple will permit it.

What do you think?

- Doug