thilino / jzebra

Automatically exported from code.google.com/p/jzebra
0 stars 0 forks source link

Java security issue that selfsigned sertificates will not work in next JDK release #155

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Run the applet with using JDK 7 update 40

What is the expected output? What do you see instead?

Expected: While applet starts for the first time, a popup is shown with message 
about security issue. Checking both checkboxes fixes the problem.

Real world: It doesn't matter, how much times you start applet and check the 
SINGLE checkbox, it popups everytime the page loads.

What version of the product are you using? On what operating system?

Win7, XP
Chrome, FF, Opera
jZebra 1.5.6

Please provide any additional information below.
The next warning appears in the popup and it makes me to worry about next Java 
updates.

Original issue reported on code.google.com by vonKer...@gmail.com on 18 Sep 2013 at 12:20

Attachments:

GoogleCodeExporter commented 8 years ago
This "bug" is a MAJOR problem for the free version of the applet and there is 
no way to fix this issue continuing with a Self-Signed Certificate from what I 
gather.

This is because when providing a self-signed signature (the free kind), the 
"Publisher" field will always say "UNKNOWN" whether or not it is provided when 
creating the signature.  Not showing Publisher is a fairly wise decision by 
Sun/Oracle and I agree.

On the contrary, blocking Self-Signed signatures is a terrible mistake as it 
prevents free projects like jZebra from taking off.  This kills innovation and 
community, but Google is discontinuing downloads on this site in January as 
well, so this isn't the only issue threatening the longevity of the free 
version.

There two BAD ways to fix this UNKNOWN Publisher issue:
  1. Lower the security level of Java to permit UNKNOWN and Untrusted sources (NOT RECOMMENDED)
  2. Downgrade to Java 1.7 u25 or older permanently (NOT RECOMMENDED)

In response to this, I've been able to create a Trusted Version, but creating a 
company that a CA was willing to trust has cost time and money, so it's no 
longer free.

Here's the new version:

http://qzindustries.com

Thoughts are welcome and thanks for the fantastic documentation on this 
upcoming issue.

-Tres

Original comment by tres.fin...@gmail.com on 18 Sep 2013 at 12:39

Attachments:

GoogleCodeExporter commented 8 years ago
Is this the same applet, as available here, except license? Does it work the 
same? 
Or it does something other?

Original comment by vonKer...@gmail.com on 18 Sep 2013 at 12:44

GoogleCodeExporter commented 8 years ago
What did you mean under 'Google is discontinuing downloads on this site in 
January as well'? Does code.google.com stops exsisting? Or it becomes just a 
repo?

Original comment by vonKer...@gmail.com on 18 Sep 2013 at 12:46

GoogleCodeExporter commented 8 years ago
Yes, it's mostly the same.  We're removing the jzebra branding as to not 
infringe on the "Zebra" printer brand.  This change will take some time, but 
has the unintended side effect of function and package name changes, i.e. 
(jzebra.PrintApplet.class is now qz.PrintApplet.class).

You can demo the compiled untrusted version by downloading the 1.6.2 source 
code and running sample.html from dist.  Download available here:

https://jzebra.googlecode.com/files/qz-print_1.6.2_src.zip

Just run sample.html from dist.

-Tres

Original comment by tres.fin...@gmail.com on 18 Sep 2013 at 12:48

GoogleCodeExporter commented 8 years ago
@vonKertis:

In response to your second question, yes, repo.
"Downloads were implemented by Project Hosting on Google Code to enable open 
source projects to make their files available for public download. 
Unfortunately, downloads have become a source of abuse with a significant 
increase in incidents recently. Due to this increasing misuse of the service 
and a desire to keep our community safe and secure, we are deprecating 
downloads.

Starting today, existing projects that do not have any downloads and all new 
projects will not have the ability to create downloads. Existing projects with 
downloads will see no visible changes until January 14, 2014 and will no longer 
have the ability to create new downloads starting on January 15, 2014.  All 
existing downloads in these projects will continue to be accessible for the 
foreseeable future.

If your project is using downloads to host and distribute files and has a need 
to periodically create new downloads, we recommend you move your downloads to 
an alternate service like Google Drive before January 15, 2014. If you choose 
to move your files to Google Drive, check out our help article."

Source:
http://google-opensource.blogspot.com/2013/05/a-change-to-google-code-download-s
ervice.html

Original comment by tres.fin...@gmail.com on 18 Sep 2013 at 12:51

GoogleCodeExporter commented 8 years ago
Issue 156 has been merged into this issue.

Original comment by tres.fin...@gmail.com on 18 Sep 2013 at 2:38

GoogleCodeExporter commented 8 years ago
http://qzindustries.com is down ?? When will the paid version be available?

Original comment by doctorg...@gmail.com on 25 Sep 2013 at 10:00

GoogleCodeExporter commented 8 years ago
The paid version is available immediately.  Please email sales@qzindustries.com 
and we can set you up today.

In regards to the site, I checked it when I got up and the issue seemed to 
resolve itself.  I'm not sure why it appeared down.

-Tres

Original comment by tres.fin...@gmail.com on 25 Sep 2013 at 12:04

GoogleCodeExporter commented 8 years ago
If anyone is wondering with the java update there is a solution to fix the 
warning dialogue box. As most of you know the issue is the Trusted Publisher is 
marked at 'UNKNOWN'. However there is a way to create a certificate that JAVA 
will trust and you and your clients will not longer see that pesky box popping 
up. If anyone needs help doing this, please email me because the instructions 
are way to long to post on here, besides having to pay someone like VeriSign 
like 600 dollars to sign something is ridiculous in my eyes. Feel free to email 
me!

Original comment by aaron.ma...@gmail.com on 30 Sep 2013 at 5:27

GoogleCodeExporter commented 8 years ago
Issue 160 has been merged into this issue.

Original comment by tres.fin...@gmail.com on 30 Sep 2013 at 5:31

GoogleCodeExporter commented 8 years ago
@Aaron,

I'm a bit confused, in one bug report you said you only fixed it for IE, and in 
this one you say you figured it out.

If you've found a way to remove the "UNKNOWN" publisher without a trusted 
signature, can you email me some of the details?  I would like to get this 
dialog removed from the free version and was not aware of a workaround.

Currently, we're offering a digitally signed and supported version under a 
recently formed LLC called QZ INDUSTRIES for a reasonable price.  Email me if 
you have any questions, tres@qzindustries.com

-Tres

Original comment by tres.fin...@gmail.com on 30 Sep 2013 at 5:34

GoogleCodeExporter commented 8 years ago
Also this isn't a hack or workaround with Java, so it could be legitamitely 
deployed to one work station or many if necessary, I haven't written a script 
to automate the process, but once you see how easy it is you'll be good. 
created the certificate and modifying the .jar file was the hard part.

Original comment by aaron.ma...@gmail.com on 30 Sep 2013 at 5:35

GoogleCodeExporter commented 8 years ago
@Tres you I will email you, the instructions are lengthy on how I did it, but 
the actually fix itself will take users no more then 10-20 seconds, gotta love 
open source, and by the way, love jzebra, integrated it into my software in 
such a smooth way for my clients really appreciate the work!

Original comment by aaron.ma...@gmail.com on 30 Sep 2013 at 5:37

GoogleCodeExporter commented 8 years ago
@Aaron,

After receiving your email, (with your permission) I will likely republish your 
findings to the wiki so that others can benefit from your struggles.  I look 
forward to hearing from you.

-Tres

Original comment by tres.fin...@gmail.com on 30 Sep 2013 at 5:43

GoogleCodeExporter commented 8 years ago
@Tres,

I just emailed you, read it and let me know what you decide to do, Everyone 
would definitely benefit from this, I also tested to see if my settings stuck 
after updating from 25 to 40, and they did, so this seems to be a simple and 
easy solution for people.

-Aaron

Original comment by aaron.ma...@gmail.com on 30 Sep 2013 at 5:52

GoogleCodeExporter commented 8 years ago
Please share to wiki :)

Original comment by superbiji on 1 Oct 2013 at 3:36

GoogleCodeExporter commented 8 years ago
@superbiji:  Aaron hasn't sent over the details yet.

Original comment by tres.fin...@gmail.com on 1 Oct 2013 at 3:39

GoogleCodeExporter commented 8 years ago
Sorry everyone my work load today was huge tres you'll have the email in the 
morning keep an eye out for it. 

Original comment by aaron.ma...@gmail.com on 1 Oct 2013 at 5:36

GoogleCodeExporter commented 8 years ago
Hey everyone i just sent the word doc to Tres on how to fix this issue for you 
and your clients. Let me or him know if you need something, i suppose he might 
publish here to wiki soon or something.
-Aaron

Original comment by aaron.ma...@gmail.com on 1 Oct 2013 at 5:29

GoogleCodeExporter commented 8 years ago
For those interested in Aaron's approach, I've attached his word document with 
the instructions.

What Aaron is doing is exporting the keystore (available in the src version) to 
a CER and CSR file and then providing instructions for the computer 
user/administrator to importing those into both IE and Java.

Since this additional step is required on all clients, it is viable interim 
solution for simply replacing this UNTRUSTED dialog.  If someone has the time 
to follow his instructions and provide back the files, I'll be happy to include 
them in the next source release and also place a copy of them it in the 
downloads section.

-Tres

Original comment by tres.fin...@gmail.com on 1 Oct 2013 at 6:32

Attachments:

GoogleCodeExporter commented 8 years ago
If you are willing to do that, I'll just create a generic trusted source. I 
didn't realize you were willing to post the files lol. Give me like an hour or 
so and I will send a zip folder with the trusted .csr file and the new .jar 
file with the trusted keystore. sound good?

-Aaron

Original comment by aaron.ma...@gmail.com on 1 Oct 2013 at 6:37

GoogleCodeExporter commented 8 years ago
@Tres,
I have sent you an email with the .csr file and the new .jar file people will 
need. Hope this helps everyone! I also attached to this comment.

Original comment by aaron.ma...@gmail.com on 1 Oct 2013 at 6:50

Attachments:

GoogleCodeExporter commented 8 years ago
Aaron was also kind enough to offer his signed version (attached).  Again, it's 
available here as an interim solution until this process can be incorporated 
into the free version.  He also has not taken the time to resign the 
pdf-renderer or the jssc jar files, which may be needed for certain 
functionality.

Installing 3rd party certificates on all clients is often not an option for 
larger deployments (for hosted services, this could be hundreds or thousands of 
machines) so this solution is really intended for smaller or controlled 
environments.

The paid version has a Trusted Root Godaddy certificate and is ready now from 
sales@qzindustries.com.

-Tres

Original comment by tres.fin...@gmail.com on 1 Oct 2013 at 6:58

GoogleCodeExporter commented 8 years ago

Original comment by tres.fin...@gmail.com on 1 Oct 2013 at 6:58

GoogleCodeExporter commented 8 years ago
Everything Tres said is quite true. This is a great solution for smaller end 
things, or if you can script it out to deploy then by all means do it, 
otherwise, support the developer and buy the paid version. Thanks again Tres! 

-Aaron

PS I can do this process for any applet, if someone needs help with another 
one, feel free to message me and let me know!

Original comment by aaron.ma...@gmail.com on 1 Oct 2013 at 7:17

GoogleCodeExporter commented 8 years ago
Hello. I am new here and I am following this discussion. I will be deploying a 
web-based POS system that is currently in development as a beta test inside of 
a store this weekend, so for now I will be using jZebra in a controlled 
environment. I currently used Aaron's files, followed the install instructions, 
and it was successful. However I need it for the PDF-Renderer as well, as my 
POS system uses a label printer printed from a PHP-generated PDF in addition to 
a receipt printer. Arron if you can do the same thing for PDFRenderer-0.9.1.jar 
that will be great. (P.S. this is a much better alternative to downgrading 
Java, as I was about to do until I saw these posts)

-Alex

Original comment by alex.b...@gmail.com on 1 Oct 2013 at 7:26

GoogleCodeExporter commented 8 years ago
@Alex,

Here is what you requested with the required cert for the pdf render. hope this 
helps you

-Aaron

Original comment by aaron.ma...@gmail.com on 1 Oct 2013 at 7:48

Attachments:

GoogleCodeExporter commented 8 years ago
@Aaron

Thanks! Just to be safe I did install the certificates in the PDFRenderer.zip 
in addition to the ones in the jZebraCertJar.zip. Are these the same 
certificates? I am asking because I want to know if I would be able to step 
some steps next time I do this on another computer.

-Alex

Original comment by alex.b...@gmail.com on 1 Oct 2013 at 9:25

GoogleCodeExporter commented 8 years ago
You need both of them yes, i suppose i could combine them both, but that might 
take some more finagling on my part lol. If you want my recommendation, learn 
the Keytool function because it has an import tool , and with that you can 
write a script to auto import these and then you could use that to deploy to 1 
or 1,000 machines all at once. But for now, import both the certificates. I am 
not sure if Tres want's to add these files to the free version, if he does, 
then i can try and make one cert, but This is not my real job and I have many 
responsibilities lol, so we shall see. Glad this worked for you though!

-Aaron

Original comment by aaron.ma...@gmail.com on 1 Oct 2013 at 9:50

GoogleCodeExporter commented 8 years ago
@Aaron,

> I am not sure if Tres want's to add these files to the free version

I use NetBeans + ANT to do my signing with the project's bundled keystore.  I 
will attempt to export the certificate from the existing keystore tonight to 
provide this same functionality as you've illustrated.  If it works, I'll offer 
the certificate that matches in the downloads.

Since the keystore and password for the *free version* are public, (therefor 
anyone could sign a java program with it) this leaves the possibility of an 
attacker reusing this certificate for malicious purposes, so it is not 
recommended for computers with sensitive data, government computers, shared 
computers, users with administrative or domain-wide credentials, or any 
non-kiosk type computer.

I'll try Aaron's instructions out now and see if I can get this free 
certificate generated.

Again, I *highly* recommend most people use a Trusted Root certificate by 
signing the code yourself or by purchasing support via qzindustries.com.

-Tres

Original comment by tres.fin...@gmail.com on 2 Oct 2013 at 1:44

GoogleCodeExporter commented 8 years ago
@Aaron,

I attempted to export a certificate from qz.ks without success.

I was able to export a CER, which imported fine into IE, Windows.  I renamed it 
to a CSR which imported fine into Java as well, but this did not suppress the 
oracle warning dialog.

-Tres

Original comment by tres.fin...@gmail.com on 2 Oct 2013 at 3:13

GoogleCodeExporter commented 8 years ago
It works.. you should import to *Certificate Type: Signer CA*

But if you have a lot of users and dont have access to their desktop, the 
solution is non free version

Original comment by superbiji on 2 Oct 2013 at 8:32

GoogleCodeExporter commented 8 years ago
@superbiji:  That worked.  As a courtesy, I've attached the Self-Signed 
certificates that will remove this message for the free version.  They've also 
been added to the downloads.

https://code.google.com/p/jzebra/downloads/detail?name=qz-free%20certs.zip

-Tres

Original comment by tres.fin...@gmail.com on 3 Oct 2013 at 4:16

GoogleCodeExporter commented 8 years ago
This issue is as fixed as it is going to be.  There are three options available 
to circumvent this issue, none of which can be completed with code changes:

1.  Downgrade Java to 7u25 or earlier
        or
2.  Install the qz-free certs on every PC to Java Security *Certificate Type: 
Signer CA*
        or
3.  Purchase the premium supported version from qzindustries.com

There are security implications with options 1 and 2, so please consider your 
environment's security when picking one of the above options.

-Tres

Original comment by tres.fin...@gmail.com on 3 Oct 2013 at 4:22

Attachments:

GoogleCodeExporter commented 8 years ago
Happy to see my solution seems to work for most people. Hope everything works 
well from here on out ! 

Original comment by aaron.ma...@gmail.com on 3 Oct 2013 at 4:35

GoogleCodeExporter commented 8 years ago
Hi guys, first of all, nice work!

Couple of questions:
1 - do we have to regenerate the free certificate everytime there is a new 
version of jzebra?

2 - using windows vista premium here, I had to use these commands instead of 
the ones provided in the doc (mainly the last line has been modified):
keytool -genkey -keystore myKeystore -validity 3650 -alias myAlias
jarsigner -keystore myKeystore jzebra.jar myAlias
keytool -exportcert -keystore myKeystore -alias myAlias -file example.cer

and I used the 1.5.6 version of jzebra that came from the download section as a 
base to generate the certificate. Not sure what happened, but the generated 
certificate didn't work. I still have the same nasty popup coming up once I 
installed the certificate. (which doesn't happen with Tres' certificate). Do we 
have to enter the same info as Tres when generating our free certificate (city, 
organization,...)? What about passphrase? does it matter? (used the default one 
"changeit")
It looks the the encryption is not the same as the one that Tres used. one is 
DSA, the other is RSA.

3 - with the free certificate, which jzebra.jar file are we meant to use on our 
server in the end? the orignial one from code.google.com, or the "inflated one" 
modified by the first command entered in n°2?

Many thanks in advance for sharing some light on this, I'd like to know why I 
can't generate my own certificate (I got it working with Tres' ones, but I 
wanna know.... and maye it can help others too).

b0b0

Original comment by blamour...@gmail.com on 15 Oct 2013 at 1:02

GoogleCodeExporter commented 8 years ago
Just download the cert from the Downloads section and import into Java Control 
Panel under *Certificate Type: Signer CA*.

This will work for all future free versions.  Creating your own certificate is 
only required if you would like to recompile and resign using a different 
certificate.

Also I strongly urge anyone consider using a trusted signature for any scenario 
that could suffer from security risks by blindly accepting a self-generated 
publicly available certificate.  We offer one at qzindustries.com.

Original comment by tres.fin...@gmail.com on 15 Oct 2013 at 1:15

GoogleCodeExporter commented 8 years ago
Thanks for your reply Tres.
I actually just wanted to understand how it worked by generating a 10 years 
certificate instead of 5.
In the meantime of course, I am using the solution you just gave, since what I 
tried didn't work.
I will try not to bother you guys with all my question & let you get busy with 
the work, and ekkp trying, since there is already a solution that has been 
provided & is working. (and with your reply, you answered at least more than 
half of my questions! :))

have a good day ! :)

Original comment by blamour...@gmail.com on 15 Oct 2013 at 2:17

GoogleCodeExporter commented 8 years ago
Once you generate the certificate you need to use the Jarsigner to assign your 
newly created certificate to the the actually .jar file. If you don't do that, 
then your certificate won't work. That is the step you are missing. Good luck 
b0b0

-Aaron

Original comment by aaron.ma...@gmail.com on 15 Oct 2013 at 2:38

GoogleCodeExporter commented 8 years ago
Also if you did that, then you need to import it into your java configuration. 
not the browser one. 

Original comment by aaron.ma...@gmail.com on 15 Oct 2013 at 2:39

GoogleCodeExporter commented 8 years ago
And last, sorry for spam. my certs i made are 10 years, if you scroll up you 
can download them. 

Original comment by aaron.ma...@gmail.com on 15 Oct 2013 at 2:40

GoogleCodeExporter commented 8 years ago
Hi Aaron, thanks a lot for your thoughts on my struggles lol :)
I just tried your certificate, but it only works with your jzebra.jar (that's 
what I suspected), which means that in the future, we will have to wait for 
your versions too of "longer" certificates and I would really like to be able 
to manage them on my own. I won't go into details, but in the particular case I 
am working on, it looks like Tres' solution cannot be beaten, looking at the 
size of his .jar file (how comes his is smaller... and we use it as a 
source...with his cert!)... anyway

I am pretty sure I did that already (jarsigner -keystore myKeystore jzebra.jar 
myAlias), but I have a doubt on the myKestore variable. I am wondering if I can 
use a free name, or if I have to point to the real keystore 
"%userprofile%\AppData\LocalLow\Sun\Java\Deployment\security\trusted.cacerts"...
 I'll give it a try real quick anyway ;)

I only import the certs in Java, not the browser ;) no worries on that one...

If it can help others, below is a list of commands I am using under "cmd" to 
play around:

List of "Signer CA" Certificates
keytool -list -keystore 
"%userprofile%\AppData\LocalLow\Sun\Java\Deployment\security\trusted.cacerts" 
-storepass ""
(replace -storepass "" with -storepass YOUR_PASSWORD if your keyStore requires 
a password, mine doesn't)

Removing the certificate named "jzebrasecureca" from "Signer CA" Certificates
keytool -keystore 
"%userprofile%\AppData\LocalLow\Sun\Java\Deployment\security\trusted.cacerts" 
-storepass "" -delete -alias jzebrasecureca

Adding new "jzebrasecureca" certificate to keyStore
keytool -keystore 
"%userprofile%\AppData\LocalLow\Sun\Java\Deployment\security\trusted.cacerts" 
-storepass "" -importcert -alias jzebrasecureca -file qz-free.cer
(replace -storepass "" with -storepass YOUR_PASSWORD if your keyStore requires 
a password, mine doesn't)

killing java.exe instances (avoid restarting browser / task manager and kill 
java to see changes)
taskkill /IM /F java.exe

Hoping this will help...

let's keep on... (hoping this is not turning into a troll)

b0b0

Original comment by blamour...@gmail.com on 15 Oct 2013 at 4:15

GoogleCodeExporter commented 8 years ago
Anytime a new version comes out, this will have to be done, even Tres will have 
to do this, thats how signing a file works with a particular certificate. 
However, my .jar file should be larger as i stated earlier in this conversation 
or in the word doc, it gets larger because thats the jar signer inserting my 
certificate codes in the jar file itself. You need to down the original jzebra 
file that comes up as unknown and hasn't be signed by anyone and do your steps 
that way and then import that cert into the Signer CA security drop down. I 
would re do my steps for you, but i am at work and am most busy today, also 
remember once you make the cert it needs to be a .csr file type. Sorry I 
realize know my word doc instructions were vague i wrote them for Tres assuming 
that he already knew how to use those tools which he did. I might have the time 
to make a very specific one so you can do this process on your own. Until then 
using my file or Tres's will hold you over just fine.

Original comment by aaron.ma...@gmail.com on 15 Oct 2013 at 4:28

GoogleCodeExporter commented 8 years ago
Thanks Aaron, it all makes sense now. 

I got it working in the end, by tweaking the commands a bit ... like a couple 
of arguments but nothing major... it's weird. I would say that it should have 
worked from the start, because the changes I have done are not that important.

MAKE SURE YOU KILL java.exe between every try, and that you do empty java's 
temporary files too (+ the browser's too). That's certainly what messed my 
previous tests up. I'm usually pretty good a trying things out. 
I'll try again anyway.

Another thing that puzzles me though, is that when I asked earlier if we had to 
import/replace the certificate everytime there was a new version of jzebra, 
Tres replied:
"Just download the cert from the Downloads section and import into Java Control 
Panel under *Certificate Type: Signer CA*.
This will work for all future free versions."
I first understood that we had to do this once only, and that the certificate 
would work work for all future free versions too.

Should we understand that for future version, we will have to download the 
certificates again, and install the on each single pc again then?

--------------
here's what I used so that it worked (not debugged in any way, it was my first 
succesfull try):
I put the jzebra.rar from jZebra 1.5.6.zip in a folder as you said... and ended 
up with a jzebra_signed.jar & jzebra.cer
ps: I love batch ;) - puta the following 4 lines in a generate.bat file and 
make sure you edit the path C:\Program Files... correctly

keytool -genkey -validity 3650 -alias jzebraca -storepass "changeit" -keypass 
"changeit" -dname "CN=Tres Finocchiaro, OU=code.google.com/jzebra, O=jZebra Web 
Applet, L=Canastota, ST=New York, C=US"
"C:\Program Files\Java\jdk1.7.0_40\bin\jarsigner" -storepass "changeit" 
-signedjar jzebra_signed.jar jzebra.jar jzebraca
keytool -exportcert -storepass "changeit" -alias jzebraca -file jzebra.cer
copy jzebra.cer jzebra.csr

b0b0

Original comment by blamour...@gmail.com on 15 Oct 2013 at 5:38

GoogleCodeExporter commented 8 years ago
As long as Tres signs them with the same cert then yeah, it will work, but if 
it won't let him or he creates a new one then yeah, you gotta get the new cert. 
Then again he can compile on top of the old .jar file and then you might not 
have too, Haven't really put to much thought into it. But glad you got it work 
bud!

Original comment by aaron.ma...@gmail.com on 15 Oct 2013 at 5:41

GoogleCodeExporter commented 8 years ago
"As long as Tres signs them with the same cert then yeah"
Thank you soo much for your confirmation Aaron, you made everything clear... 

So ... last question for the free version ...:
@Tres: will you? :) (I guess that's the plan!) bearing in mind that it is still 
a "relatively unsecure" solution of course :(

Original comment by blamour...@gmail.com on 15 Oct 2013 at 5:53

GoogleCodeExporter commented 8 years ago
> Anytime a new version comes out, this will have to be done, even Tres will 
have to do this, thats how signing a file works with a particular certificate.

@Aaron,

I do not believe this is true.  I created mine from the qz.ks (previously 
jzebra.ks).  Anyone can do this, the passwords are in the NetBeans build files. 
It should only have to be done once per PC until the self-signed signature 
expires.

> Adding new "jzebrasecureca" certificate to keyStore

@b0b0,

Thanks, I was looking for a way to do that programatically.  That is useful to 
know.

-Tres

Original comment by tres.fin...@gmail.com on 15 Oct 2013 at 5:54

GoogleCodeExporter commented 8 years ago
Yeah i said as long as that is used then its all good. I think too many 
questions going around lol. But all is well in the land of oz today. 

Original comment by aaron.ma...@gmail.com on 15 Oct 2013 at 5:56

GoogleCodeExporter commented 8 years ago
> @Tres: will you?

@b0b0,
Yes, our plan is to continue using the same signature for the free version, as 
well as for PDF-RENDERER and JSSC.

-Tres

Original comment by tres.fin...@gmail.com on 15 Oct 2013 at 5:59

GoogleCodeExporter commented 8 years ago
hello,

Today there are a new version of java, Version 7 Update 45, in this version the 
certificate dont' work, in the last version (Version 7 Update 40 it's ok, but 
in new there are problems because the explorer show a window to aprove 
permision to run the app. Please help me!!! 

tanks

Original comment by gonzalo....@gmail.com on 15 Oct 2013 at 8:30