What prevents Java from verifying signed jars with multiple signature algorithms

Question

Quick background: We release a webstart application, which includes our own application jars and numerous third-party jars. Webstart requires that all distrib

Answer 1

Rather than re-signing the third party jars yourself, you can create a separate JNLP file for each third-party signer that refers to the relevant jar files, then have your main JNLP depend on these using the element. The restriction that all JAR files must be signed by the same signer only applies within one JNLP, each extension can have a different signer.

Failing that, you could strip out the third party signatures before adding your own (by repacking them without META-INF/*.{SF,DSA,RSA})