Can I prevent digital signature warning when I start a java application from command line?

29.2k views Asked by At

Is there any way to prevent the "The application's digital signature cannot be verified" warning message from appearing when you run a Java application from the command line?

I'm looking for a command line solution that would allow to start an application like this on a continuous integration server, so I need a solution that would not require manual intervention.

Also, I would prefer not to disable this warning for any application because this could be a security risk.

Not sure if helps but I do know the values of "name", "publisher" and "from" fields of the signature.

screenshot of java digital signature warning

Just be sure, I'm not asking about how to sign this application.

update 1

I suppose that the solution is to use keytool to import the certificate from the command line but for some reason it does fail to import it properly because it does not appear in control panel applet after this and the application still requires it.

keytool -importcert -file my.cer -alias alf2 -storepass changeme -noprompt

Is it something related to the the default keystore, how can I assure I'm importing into the right keystore?

update 2

After lot of research on the net I made some progress, worked at least on Windows 7 with Java 6: keytool -importcert -file my.cer -keystore "%USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs" -storepass "" -noprompt -v

I looks that Sun failed to specify in the documentation the real location of the default keystore and the fact that the default password is blank.

But this is not the end, because when this run on the automation user account it failed, it failed because this user did not had an keystore yet and because the command line tool keytool is not able to create a keystore with an empty password, requesting at least 6 characters. see Sun's forum tread...

5

There are 5 answers

1
Niekam On

I think you should create file for example mypolicy.policy in java.home/lib/security with grant all permisions to code signed by you and add this file to java.security (ex. under line where is java.policy path) this warning window will never prompt again

2
Stephen C On

There are two approaches:

  • Get the supplier of the software to reissue it with a proper signature. The "More Information" link should tell you why the signature cannot be verified, but the most likely causes are that the signature was created using a self-signed CA certificate, or a certificate that has since expired. (If the supplier won't help, you may be able to resign the JAR file with your own certificate.)

  • Add the relevant signing certificate to the JVM's certificate store as a "trusted certificate". Unfortunately, you'll need to do this for every JVM on every machine that needs to run the application.

4
Johnbabu Koppolu On

It would be a serious compromise on user security/privacy if unsigned applications are allowed to run without user's consent.

The answer is 'NO', unless you get your app signed or the user manually adds the publisher to the 'trusted' lists.

More here

0
PTT On

trusted.certs file is user (profile) based. Using keytool it is also possible to add trusted root CA to "cacert" file, where are default trusted CA for java stored. cacert file location on XP (depends on Java version): C:\Program Files\Java\jre6\lib\security

More details here:

default password is: changeit

0
Giors On

Don't know whether it is still actually Windows XP keytool asks for password if cert store actally not exist, so you should create manually or copy store from somewhere before importing certificates. User store was without password.