Greg Brown wrote: >> Is the classloader complaining they aren't signed by the 'same' cert, or >> just not signed by a trusted cert? > > The classloader will prompt the user to trust each different signer. For > example, let's say that we sign the Pivot JARs with an ASF cert, and > acme.com deploys an application that uses those JARs. The JAR(s) containing > the acme.com app would be signed using the Acme cert, and the user would > be prompted twice - once to trust the ASF JARs and again to trust the Acme > JARs. > > This is probably not an ideal user experience - Acme's users don't > necessarily need to know that parts of the application came from Apache > - they just need to trust Acme. So, our assumption is that Acme would sign > all the JARs used by the application, including the Pivot JARs, with their > own certificate. This way, the user only gets prompted once, to trust > acme.com.
Are you sure this is all set up correctly? The point behind CA certificates is that by saying "I trust this CA, I also trust any cert that this CA trusts", it removes the need to explicitly ask the user to trust anything - the user has already told you they trust your cert when the user trusted your CA cert. All the JDKs I've ever used came with a blank certificate store - no CAs were trusted at all. If such a blank certificate store was present, then I would expect the application to ask me whether I trusted each cert in turn, simple because no CA cert was present to have done this for me. I suspect the reason the behaviour you describe exists is because the CA cert isn't trusted. Ideally whatever container application you're trying to run (Eclipse RCP? Tomcat? Something else?) should contain some kind of user interface to ask the user whether they are willing to trust the Verisign (etc) cert, or the software could come with a certificate bundle already installed, like Firefox and friends do. I would imagine if the certificate bundle was correctly configured with the Verisign CA cert in it, your end user won't be asked anything at all. Regards, Graham --
