Closed GoogleCodeExporter closed 9 years ago
This "bug" is a MAJOR problem for the free version of the applet and there is
no way to fix this issue continuing with a Self-Signed Certificate from what I
gather.
This is because when providing a self-signed signature (the free kind), the
"Publisher" field will always say "UNKNOWN" whether or not it is provided when
creating the signature. Not showing Publisher is a fairly wise decision by
Sun/Oracle and I agree.
On the contrary, blocking Self-Signed signatures is a terrible mistake as it
prevents free projects like jZebra from taking off. This kills innovation and
community, but Google is discontinuing downloads on this site in January as
well, so this isn't the only issue threatening the longevity of the free
version.
There two BAD ways to fix this UNKNOWN Publisher issue:
1. Lower the security level of Java to permit UNKNOWN and Untrusted sources (NOT RECOMMENDED)
2. Downgrade to Java 1.7 u25 or older permanently (NOT RECOMMENDED)
In response to this, I've been able to create a Trusted Version, but creating a
company that a CA was willing to trust has cost time and money, so it's no
longer free.
Here's the new version:
http://qzindustries.com
Thoughts are welcome and thanks for the fantastic documentation on this
upcoming issue.
-Tres
Original comment by tres.fin...@gmail.com
on 18 Sep 2013 at 12:39
Attachments:
Is this the same applet, as available here, except license? Does it work the
same?
Or it does something other?
Original comment by vonKer...@gmail.com
on 18 Sep 2013 at 12:44
What did you mean under 'Google is discontinuing downloads on this site in
January as well'? Does code.google.com stops exsisting? Or it becomes just a
repo?
Original comment by vonKer...@gmail.com
on 18 Sep 2013 at 12:46
Yes, it's mostly the same. We're removing the jzebra branding as to not
infringe on the "Zebra" printer brand. This change will take some time, but
has the unintended side effect of function and package name changes, i.e.
(jzebra.PrintApplet.class is now qz.PrintApplet.class).
You can demo the compiled untrusted version by downloading the 1.6.2 source
code and running sample.html from dist. Download available here:
https://jzebra.googlecode.com/files/qz-print_1.6.2_src.zip
Just run sample.html from dist.
-Tres
Original comment by tres.fin...@gmail.com
on 18 Sep 2013 at 12:48
@vonKertis:
In response to your second question, yes, repo.
"Downloads were implemented by Project Hosting on Google Code to enable open
source projects to make their files available for public download.
Unfortunately, downloads have become a source of abuse with a significant
increase in incidents recently. Due to this increasing misuse of the service
and a desire to keep our community safe and secure, we are deprecating
downloads.
Starting today, existing projects that do not have any downloads and all new
projects will not have the ability to create downloads. Existing projects with
downloads will see no visible changes until January 14, 2014 and will no longer
have the ability to create new downloads starting on January 15, 2014. All
existing downloads in these projects will continue to be accessible for the
foreseeable future.
If your project is using downloads to host and distribute files and has a need
to periodically create new downloads, we recommend you move your downloads to
an alternate service like Google Drive before January 15, 2014. If you choose
to move your files to Google Drive, check out our help article."
Source:
http://google-opensource.blogspot.com/2013/05/a-change-to-google-code-download-s
ervice.html
Original comment by tres.fin...@gmail.com
on 18 Sep 2013 at 12:51
Issue 156 has been merged into this issue.
Original comment by tres.fin...@gmail.com
on 18 Sep 2013 at 2:38
http://qzindustries.com is down ?? When will the paid version be available?
Original comment by doctorg...@gmail.com
on 25 Sep 2013 at 10:00
The paid version is available immediately. Please email sales@qzindustries.com
and we can set you up today.
In regards to the site, I checked it when I got up and the issue seemed to
resolve itself. I'm not sure why it appeared down.
-Tres
Original comment by tres.fin...@gmail.com
on 25 Sep 2013 at 12:04
If anyone is wondering with the java update there is a solution to fix the
warning dialogue box. As most of you know the issue is the Trusted Publisher is
marked at 'UNKNOWN'. However there is a way to create a certificate that JAVA
will trust and you and your clients will not longer see that pesky box popping
up. If anyone needs help doing this, please email me because the instructions
are way to long to post on here, besides having to pay someone like VeriSign
like 600 dollars to sign something is ridiculous in my eyes. Feel free to email
me!
Original comment by aaron.ma...@gmail.com
on 30 Sep 2013 at 5:27
Issue 160 has been merged into this issue.
Original comment by tres.fin...@gmail.com
on 30 Sep 2013 at 5:31
@Aaron,
I'm a bit confused, in one bug report you said you only fixed it for IE, and in
this one you say you figured it out.
If you've found a way to remove the "UNKNOWN" publisher without a trusted
signature, can you email me some of the details? I would like to get this
dialog removed from the free version and was not aware of a workaround.
Currently, we're offering a digitally signed and supported version under a
recently formed LLC called QZ INDUSTRIES for a reasonable price. Email me if
you have any questions, tres@qzindustries.com
-Tres
Original comment by tres.fin...@gmail.com
on 30 Sep 2013 at 5:34
Also this isn't a hack or workaround with Java, so it could be legitamitely
deployed to one work station or many if necessary, I haven't written a script
to automate the process, but once you see how easy it is you'll be good.
created the certificate and modifying the .jar file was the hard part.
Original comment by aaron.ma...@gmail.com
on 30 Sep 2013 at 5:35
@Tres you I will email you, the instructions are lengthy on how I did it, but
the actually fix itself will take users no more then 10-20 seconds, gotta love
open source, and by the way, love jzebra, integrated it into my software in
such a smooth way for my clients really appreciate the work!
Original comment by aaron.ma...@gmail.com
on 30 Sep 2013 at 5:37
@Aaron,
After receiving your email, (with your permission) I will likely republish your
findings to the wiki so that others can benefit from your struggles. I look
forward to hearing from you.
-Tres
Original comment by tres.fin...@gmail.com
on 30 Sep 2013 at 5:43
@Tres,
I just emailed you, read it and let me know what you decide to do, Everyone
would definitely benefit from this, I also tested to see if my settings stuck
after updating from 25 to 40, and they did, so this seems to be a simple and
easy solution for people.
-Aaron
Original comment by aaron.ma...@gmail.com
on 30 Sep 2013 at 5:52
Please share to wiki :)
Original comment by superbiji
on 1 Oct 2013 at 3:36
@superbiji: Aaron hasn't sent over the details yet.
Original comment by tres.fin...@gmail.com
on 1 Oct 2013 at 3:39
Sorry everyone my work load today was huge tres you'll have the email in the
morning keep an eye out for it.
Original comment by aaron.ma...@gmail.com
on 1 Oct 2013 at 5:36
Hey everyone i just sent the word doc to Tres on how to fix this issue for you
and your clients. Let me or him know if you need something, i suppose he might
publish here to wiki soon or something.
-Aaron
Original comment by aaron.ma...@gmail.com
on 1 Oct 2013 at 5:29
For those interested in Aaron's approach, I've attached his word document with
the instructions.
What Aaron is doing is exporting the keystore (available in the src version) to
a CER and CSR file and then providing instructions for the computer
user/administrator to importing those into both IE and Java.
Since this additional step is required on all clients, it is viable interim
solution for simply replacing this UNTRUSTED dialog. If someone has the time
to follow his instructions and provide back the files, I'll be happy to include
them in the next source release and also place a copy of them it in the
downloads section.
-Tres
Original comment by tres.fin...@gmail.com
on 1 Oct 2013 at 6:32
Attachments:
If you are willing to do that, I'll just create a generic trusted source. I
didn't realize you were willing to post the files lol. Give me like an hour or
so and I will send a zip folder with the trusted .csr file and the new .jar
file with the trusted keystore. sound good?
-Aaron
Original comment by aaron.ma...@gmail.com
on 1 Oct 2013 at 6:37
@Tres,
I have sent you an email with the .csr file and the new .jar file people will
need. Hope this helps everyone! I also attached to this comment.
Original comment by aaron.ma...@gmail.com
on 1 Oct 2013 at 6:50
Attachments:
Aaron was also kind enough to offer his signed version (attached). Again, it's
available here as an interim solution until this process can be incorporated
into the free version. He also has not taken the time to resign the
pdf-renderer or the jssc jar files, which may be needed for certain
functionality.
Installing 3rd party certificates on all clients is often not an option for
larger deployments (for hosted services, this could be hundreds or thousands of
machines) so this solution is really intended for smaller or controlled
environments.
The paid version has a Trusted Root Godaddy certificate and is ready now from
sales@qzindustries.com.
-Tres
Original comment by tres.fin...@gmail.com
on 1 Oct 2013 at 6:58
Original comment by tres.fin...@gmail.com
on 1 Oct 2013 at 6:58
Attachments:
Everything Tres said is quite true. This is a great solution for smaller end
things, or if you can script it out to deploy then by all means do it,
otherwise, support the developer and buy the paid version. Thanks again Tres!
-Aaron
PS I can do this process for any applet, if someone needs help with another
one, feel free to message me and let me know!
Original comment by aaron.ma...@gmail.com
on 1 Oct 2013 at 7:17
Hello. I am new here and I am following this discussion. I will be deploying a
web-based POS system that is currently in development as a beta test inside of
a store this weekend, so for now I will be using jZebra in a controlled
environment. I currently used Aaron's files, followed the install instructions,
and it was successful. However I need it for the PDF-Renderer as well, as my
POS system uses a label printer printed from a PHP-generated PDF in addition to
a receipt printer. Arron if you can do the same thing for PDFRenderer-0.9.1.jar
that will be great. (P.S. this is a much better alternative to downgrading
Java, as I was about to do until I saw these posts)
-Alex
Original comment by alex.b...@gmail.com
on 1 Oct 2013 at 7:26
@Alex,
Here is what you requested with the required cert for the pdf render. hope this
helps you
-Aaron
Original comment by aaron.ma...@gmail.com
on 1 Oct 2013 at 7:48
Attachments:
@Aaron
Thanks! Just to be safe I did install the certificates in the PDFRenderer.zip
in addition to the ones in the jZebraCertJar.zip. Are these the same
certificates? I am asking because I want to know if I would be able to step
some steps next time I do this on another computer.
-Alex
Original comment by alex.b...@gmail.com
on 1 Oct 2013 at 9:25
You need both of them yes, i suppose i could combine them both, but that might
take some more finagling on my part lol. If you want my recommendation, learn
the Keytool function because it has an import tool , and with that you can
write a script to auto import these and then you could use that to deploy to 1
or 1,000 machines all at once. But for now, import both the certificates. I am
not sure if Tres want's to add these files to the free version, if he does,
then i can try and make one cert, but This is not my real job and I have many
responsibilities lol, so we shall see. Glad this worked for you though!
-Aaron
Original comment by aaron.ma...@gmail.com
on 1 Oct 2013 at 9:50
@Aaron,
> I am not sure if Tres want's to add these files to the free version
I use NetBeans + ANT to do my signing with the project's bundled keystore. I
will attempt to export the certificate from the existing keystore tonight to
provide this same functionality as you've illustrated. If it works, I'll offer
the certificate that matches in the downloads.
Since the keystore and password for the *free version* are public, (therefor
anyone could sign a java program with it) this leaves the possibility of an
attacker reusing this certificate for malicious purposes, so it is not
recommended for computers with sensitive data, government computers, shared
computers, users with administrative or domain-wide credentials, or any
non-kiosk type computer.
I'll try Aaron's instructions out now and see if I can get this free
certificate generated.
Again, I *highly* recommend most people use a Trusted Root certificate by
signing the code yourself or by purchasing support via qzindustries.com.
-Tres
Original comment by tres.fin...@gmail.com
on 2 Oct 2013 at 1:44
@Aaron,
I attempted to export a certificate from qz.ks without success.
I was able to export a CER, which imported fine into IE, Windows. I renamed it
to a CSR which imported fine into Java as well, but this did not suppress the
oracle warning dialog.
-Tres
Original comment by tres.fin...@gmail.com
on 2 Oct 2013 at 3:13
It works.. you should import to *Certificate Type: Signer CA*
But if you have a lot of users and dont have access to their desktop, the
solution is non free version
Original comment by superbiji
on 2 Oct 2013 at 8:32
@superbiji: That worked. As a courtesy, I've attached the Self-Signed
certificates that will remove this message for the free version. They've also
been added to the downloads.
https://code.google.com/p/jzebra/downloads/detail?name=qz-free%20certs.zip
-Tres
Original comment by tres.fin...@gmail.com
on 3 Oct 2013 at 4:16
Attachments:
This issue is as fixed as it is going to be. There are three options available
to circumvent this issue, none of which can be completed with code changes:
1. Downgrade Java to 7u25 or earlier
or
2. Install the qz-free certs on every PC to Java Security *Certificate Type:
Signer CA*
or
3. Purchase the premium supported version from qzindustries.com
There are security implications with options 1 and 2, so please consider your
environment's security when picking one of the above options.
-Tres
Original comment by tres.fin...@gmail.com
on 3 Oct 2013 at 4:22
Attachments:
Happy to see my solution seems to work for most people. Hope everything works
well from here on out !
Original comment by aaron.ma...@gmail.com
on 3 Oct 2013 at 4:35
Hi guys, first of all, nice work!
Couple of questions:
1 - do we have to regenerate the free certificate everytime there is a new
version of jzebra?
2 - using windows vista premium here, I had to use these commands instead of
the ones provided in the doc (mainly the last line has been modified):
keytool -genkey -keystore myKeystore -validity 3650 -alias myAlias
jarsigner -keystore myKeystore jzebra.jar myAlias
keytool -exportcert -keystore myKeystore -alias myAlias -file example.cer
and I used the 1.5.6 version of jzebra that came from the download section as a
base to generate the certificate. Not sure what happened, but the generated
certificate didn't work. I still have the same nasty popup coming up once I
installed the certificate. (which doesn't happen with Tres' certificate). Do we
have to enter the same info as Tres when generating our free certificate (city,
organization,...)? What about passphrase? does it matter? (used the default one
"changeit")
It looks the the encryption is not the same as the one that Tres used. one is
DSA, the other is RSA.
3 - with the free certificate, which jzebra.jar file are we meant to use on our
server in the end? the orignial one from code.google.com, or the "inflated one"
modified by the first command entered in n°2?
Many thanks in advance for sharing some light on this, I'd like to know why I
can't generate my own certificate (I got it working with Tres' ones, but I
wanna know.... and maye it can help others too).
b0b0
Original comment by blamour...@gmail.com
on 15 Oct 2013 at 1:02
Just download the cert from the Downloads section and import into Java Control
Panel under *Certificate Type: Signer CA*.
This will work for all future free versions. Creating your own certificate is
only required if you would like to recompile and resign using a different
certificate.
Also I strongly urge anyone consider using a trusted signature for any scenario
that could suffer from security risks by blindly accepting a self-generated
publicly available certificate. We offer one at qzindustries.com.
Original comment by tres.fin...@gmail.com
on 15 Oct 2013 at 1:15
Thanks for your reply Tres.
I actually just wanted to understand how it worked by generating a 10 years
certificate instead of 5.
In the meantime of course, I am using the solution you just gave, since what I
tried didn't work.
I will try not to bother you guys with all my question & let you get busy with
the work, and ekkp trying, since there is already a solution that has been
provided & is working. (and with your reply, you answered at least more than
half of my questions! :))
have a good day ! :)
Original comment by blamour...@gmail.com
on 15 Oct 2013 at 2:17
Once you generate the certificate you need to use the Jarsigner to assign your
newly created certificate to the the actually .jar file. If you don't do that,
then your certificate won't work. That is the step you are missing. Good luck
b0b0
-Aaron
Original comment by aaron.ma...@gmail.com
on 15 Oct 2013 at 2:38
Also if you did that, then you need to import it into your java configuration.
not the browser one.
Original comment by aaron.ma...@gmail.com
on 15 Oct 2013 at 2:39
And last, sorry for spam. my certs i made are 10 years, if you scroll up you
can download them.
Original comment by aaron.ma...@gmail.com
on 15 Oct 2013 at 2:40
Hi Aaron, thanks a lot for your thoughts on my struggles lol :)
I just tried your certificate, but it only works with your jzebra.jar (that's
what I suspected), which means that in the future, we will have to wait for
your versions too of "longer" certificates and I would really like to be able
to manage them on my own. I won't go into details, but in the particular case I
am working on, it looks like Tres' solution cannot be beaten, looking at the
size of his .jar file (how comes his is smaller... and we use it as a
source...with his cert!)... anyway
I am pretty sure I did that already (jarsigner -keystore myKeystore jzebra.jar
myAlias), but I have a doubt on the myKestore variable. I am wondering if I can
use a free name, or if I have to point to the real keystore
"%userprofile%\AppData\LocalLow\Sun\Java\Deployment\security\trusted.cacerts"...
I'll give it a try real quick anyway ;)
I only import the certs in Java, not the browser ;) no worries on that one...
If it can help others, below is a list of commands I am using under "cmd" to
play around:
List of "Signer CA" Certificates
keytool -list -keystore
"%userprofile%\AppData\LocalLow\Sun\Java\Deployment\security\trusted.cacerts"
-storepass ""
(replace -storepass "" with -storepass YOUR_PASSWORD if your keyStore requires
a password, mine doesn't)
Removing the certificate named "jzebrasecureca" from "Signer CA" Certificates
keytool -keystore
"%userprofile%\AppData\LocalLow\Sun\Java\Deployment\security\trusted.cacerts"
-storepass "" -delete -alias jzebrasecureca
Adding new "jzebrasecureca" certificate to keyStore
keytool -keystore
"%userprofile%\AppData\LocalLow\Sun\Java\Deployment\security\trusted.cacerts"
-storepass "" -importcert -alias jzebrasecureca -file qz-free.cer
(replace -storepass "" with -storepass YOUR_PASSWORD if your keyStore requires
a password, mine doesn't)
killing java.exe instances (avoid restarting browser / task manager and kill
java to see changes)
taskkill /IM /F java.exe
Hoping this will help...
let's keep on... (hoping this is not turning into a troll)
b0b0
Original comment by blamour...@gmail.com
on 15 Oct 2013 at 4:15
Anytime a new version comes out, this will have to be done, even Tres will have
to do this, thats how signing a file works with a particular certificate.
However, my .jar file should be larger as i stated earlier in this conversation
or in the word doc, it gets larger because thats the jar signer inserting my
certificate codes in the jar file itself. You need to down the original jzebra
file that comes up as unknown and hasn't be signed by anyone and do your steps
that way and then import that cert into the Signer CA security drop down. I
would re do my steps for you, but i am at work and am most busy today, also
remember once you make the cert it needs to be a .csr file type. Sorry I
realize know my word doc instructions were vague i wrote them for Tres assuming
that he already knew how to use those tools which he did. I might have the time
to make a very specific one so you can do this process on your own. Until then
using my file or Tres's will hold you over just fine.
Original comment by aaron.ma...@gmail.com
on 15 Oct 2013 at 4:28
Thanks Aaron, it all makes sense now.
I got it working in the end, by tweaking the commands a bit ... like a couple
of arguments but nothing major... it's weird. I would say that it should have
worked from the start, because the changes I have done are not that important.
MAKE SURE YOU KILL java.exe between every try, and that you do empty java's
temporary files too (+ the browser's too). That's certainly what messed my
previous tests up. I'm usually pretty good a trying things out.
I'll try again anyway.
Another thing that puzzles me though, is that when I asked earlier if we had to
import/replace the certificate everytime there was a new version of jzebra,
Tres replied:
"Just download the cert from the Downloads section and import into Java Control
Panel under *Certificate Type: Signer CA*.
This will work for all future free versions."
I first understood that we had to do this once only, and that the certificate
would work work for all future free versions too.
Should we understand that for future version, we will have to download the
certificates again, and install the on each single pc again then?
--------------
here's what I used so that it worked (not debugged in any way, it was my first
succesfull try):
I put the jzebra.rar from jZebra 1.5.6.zip in a folder as you said... and ended
up with a jzebra_signed.jar & jzebra.cer
ps: I love batch ;) - puta the following 4 lines in a generate.bat file and
make sure you edit the path C:\Program Files... correctly
keytool -genkey -validity 3650 -alias jzebraca -storepass "changeit" -keypass
"changeit" -dname "CN=Tres Finocchiaro, OU=code.google.com/jzebra, O=jZebra Web
Applet, L=Canastota, ST=New York, C=US"
"C:\Program Files\Java\jdk1.7.0_40\bin\jarsigner" -storepass "changeit"
-signedjar jzebra_signed.jar jzebra.jar jzebraca
keytool -exportcert -storepass "changeit" -alias jzebraca -file jzebra.cer
copy jzebra.cer jzebra.csr
b0b0
Original comment by blamour...@gmail.com
on 15 Oct 2013 at 5:38
As long as Tres signs them with the same cert then yeah, it will work, but if
it won't let him or he creates a new one then yeah, you gotta get the new cert.
Then again he can compile on top of the old .jar file and then you might not
have too, Haven't really put to much thought into it. But glad you got it work
bud!
Original comment by aaron.ma...@gmail.com
on 15 Oct 2013 at 5:41
"As long as Tres signs them with the same cert then yeah"
Thank you soo much for your confirmation Aaron, you made everything clear...
So ... last question for the free version ...:
@Tres: will you? :) (I guess that's the plan!) bearing in mind that it is still
a "relatively unsecure" solution of course :(
Original comment by blamour...@gmail.com
on 15 Oct 2013 at 5:53
> Anytime a new version comes out, this will have to be done, even Tres will
have to do this, thats how signing a file works with a particular certificate.
@Aaron,
I do not believe this is true. I created mine from the qz.ks (previously
jzebra.ks). Anyone can do this, the passwords are in the NetBeans build files.
It should only have to be done once per PC until the self-signed signature
expires.
> Adding new "jzebrasecureca" certificate to keyStore
@b0b0,
Thanks, I was looking for a way to do that programatically. That is useful to
know.
-Tres
Original comment by tres.fin...@gmail.com
on 15 Oct 2013 at 5:54
Yeah i said as long as that is used then its all good. I think too many
questions going around lol. But all is well in the land of oz today.
Original comment by aaron.ma...@gmail.com
on 15 Oct 2013 at 5:56
> @Tres: will you?
@b0b0,
Yes, our plan is to continue using the same signature for the free version, as
well as for PDF-RENDERER and JSSC.
-Tres
Original comment by tres.fin...@gmail.com
on 15 Oct 2013 at 5:59
hello,
Today there are a new version of java, Version 7 Update 45, in this version the
certificate dont' work, in the last version (Version 7 Update 40 it's ok, but
in new there are problems because the explorer show a window to aprove
permision to run the app. Please help me!!!
tanks
Original comment by gonzalo....@gmail.com
on 15 Oct 2013 at 8:30
Original issue reported on code.google.com by
vonKer...@gmail.com
on 18 Sep 2013 at 12:20Attachments: