# Signing a Java Applet



## Svenmonkey (Mar 29, 2003)

To use file I/O in a Java Applet you need it to be digitally signed, apparently. I have little experience with Applets (I'm just about to take my second year of Java classes) and I need someone to help me with signing an Applet I've created.

Any help would be appreciated. The tutorials I've seen elsewhere are pretty confusing for a newbie like me.


----------



## microbug (Sep 1, 2003)

First it depends on what Java version you want to support (i.e. MS IE Java 1.1.4, Netscape 4.x or Sun JDK 1.2.x or newer). The procedure to sign your code for any of these VMs is different and not compatible. (Have a look here)
The next thing you need is a "object signing certificate" from Thawte, Versign or some other trusted CA. This is usually called a "Class 3" certificate. It is not easy to get one of these if you are not a registered corporation in the US. Besides this it costs you at least $199 per year.
You can also make your own certificates for free but you will need to import the CA into every browser that uses your applet. Most browsers wont even allow you to do this unless you change the default security settings. This is usually not an option if you want to use the applet at the internet.


----------



## Svenmonkey (Mar 29, 2003)

I just want to use it in my home and I want to support IE. I hear I can make my own certificate with the Microsoft Java SDK, but I can't find it anywhere because it's been discontinued. Is there a way I can make one with the Sun Java SDK?

Thanks for the reply, by the way.


----------



## microbug (Sep 1, 2003)

You can still find places to download the Microsoft SDK for Java, just google for "SDKJava40.exe". It should be about 20 MB in size.
Although both Microsoft and Sun can use the same X.509 certificates the concrete procedure to sign the code is totally different. For the built in VM in IE you need to use Cabinet files which are not supported by Sun.
I can't tell you the exact steps to sign your code with the MS SDK (last time I did it myself was in 1998) but there is a manual in the SDK that explains the tools and maybe you can find a full description of the procedure on the net if you search for the names of these tools.


----------



## Svenmonkey (Mar 29, 2003)

Thanks a lot. I didn't know the name of the file before, so I just searched for "Microsoft Java SDK," which got me nowhere. I'm currently downloading the MS JSDK.


----------



## hyeomer (Sep 26, 2003)

I have spent hours and hours solving this problem 

Here is what worked for me

keytool -genkey -alias sig
keytool -export -alias sig -rfc -file sig.x509
//create your jar files, then sign them
jarsigner {path}file.jar sig

Now I explain the problem, when you try to sign you .jar file, jarsigner looks for certificate chain in {java.home}/bin/sig.x509
When it does not find, error is generated. -rfc -file sig.x509 exports the certificate in the j2sdk/bin/. When you run key for the first time, it will create a .keystore database file in you home directory. And all these entries automatically added in that file.

If you want to authorise your applet to have network access to machine other than it loaded from e.g your local machine, then add this to you .java.policy file in C:\j2sdk1.4.2\jre\lib\security\

keystore ".keystore";

grant signedBy "sig", codeBase "http://address_applet_loaded_from/applet.jar" {
permission java.net.SocketPermission 
"*:8000", "connect,accept,resolve,listen";
};

So when this applet from the webserver would be loaded, first of all you would be asked to trust a certificate then jvm on your machine will look up in .java.policy file for security file and if the access is granted, your applet could make a connection to your machine.

For all granting all other access, visit 
http://java.sun.com/j2se/1.4.2/docs/guide/security/permissions.html

Have Fun


----------



## Svenmonkey (Mar 29, 2003)

Thanks for the help. I'll try it out ASAP.


----------

