The short answer – don’t, unless your company policy forces you to. The long answer Signing jars is effectively telling your customer “I made this, and I guarantee it won’t mess up your system. If it does, come to me for retribution”. This is why signed jars in client-side solution deployed from remote servers (applets … Read more
The Java 7 release provides a (courtesy?) warning about something which has been in place for a decade… Trusted Timestamping was introducing in Java 5 (2004). The motivation was so that developers would not be forced “to re-sign deployed JAR files annually” when the certificates expired. → http://docs.oracle.com/javase/1.5.0/docs/guide/security/time-of-signing.html A URL-based Time Stamp Authority (TSA) is … Read more
My findings are the same: This prevents warnings with Java 7u21 – 7u40: Manifest-Version: 1.0 Trusted-Library: true This exclusivly prevents warnings with Java 7u45: Manifest-Version: 1.0 Application-Library-Allowable-Codebase: * Caller-Allowable-Codebase: * Mixing both won’t work in 7u45. Now what? Did anyone find a way to allow SIGNED applets with “all-permissions” to run without warnings in both … Read more