Unidentified developer for Java Web Start application on OS X

家住魔仙堡 提交于 2019-12-03 11:40:34

Apple does appear to support signing of webstart -- but not directly. You have to bundle it in an archive. See the note at the bottom of this page:

You can use the codesign utility to sign the JNLP file, which will attach the code signature to the JNLP file as extended attributes. To preserve these attributes, package the JNLP file in a ZIP, XIP, or DMG file. Be careful using the ZIP format, as some third-party tools might not capture the required extended attributes correctly.

Also note that XIP isn't supported for non-Apple developers anymore:

Important: Starting with macOS Sierra, only XIP archives signed by Apple will be expanded. Developers who have been using XIP archives will need to move to using signed installer packages or disk images.

In the latest OSX releases, Apple has changed it's security model to only support applications from the Mac App Store and identified developers. In most cases, this prohibits jnlp/java-web-start applications from launching.

If this is a trusted application, you may override these settings by updating your system settings as follows:

System Preferences -> Security & Privacy -> (Unlock Window) -> Allow apps downloaded from: (Select Anywhere)

In some cases you may need to update your Java Security preferences too

System Preferences -> Java -> Security -> (Select Medium)

Be careful when adjusting these. These settings will open you up to popular attack vectors where an attacker can exploit vulnerabilities within the java runtime (Java 0 days).

Stan W

Here is a related post. It doesn't appear to be possible to bypass the security, Allow All, workaround.

OS X 10.8 Gatekeeper and Java applets

From Apple Tech Support in the post above.

Unidentified developer" means a source other than the Mac App Store or a Developer ID-identified developer. Note that Java applets cannot participate in the Developer ID program.

I am considering building a native app and use a custom web protocol instead similar to skype where you see skype:// in the URI. It doesn't seem like Apple will change their stance on java applets in the near future. It will most likely become more restricted and eventually just disabled like flash on iOS.

jla

The answers to How to sign (dynamic) JNLP files for OSX and Gatekeeper address this question, just ignore the 'dynamic' aspect.

You can codesign -f -s "Developer ID Application: " application.jnlp but the HFS resource won't transfer with the file over the web.

Until Oracle works out a solution, if they ever do, addressing JNLP/Web Start it looks like we have to figure out a work-around that starts us down the path to creating a Mac app bundle.

This seems to have changed in OS X 10.10. Now after going to System Preferences -> Security & Privacy -> (Unlock Window) -> Allow apps downloaded from: (Select Anywhere) (after trying to run the .jnlp file) you'll see an option to "Run anyway".

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!