Make any necessary changes in the applet's code (see Writing code for Netscape Navigator).
Collect the tools you'll need: a digital ID, and
Note: Navigator 3 isn't able to verify signed Java applets, and so can't take advantage of digitally signed applets. Navigator 4 and up can take advantage of digitally signed applets (I've verified this on the Macintosh and under Windows; I expect it is also true on other Navigator platforms).
You'll need two items to do digital signing: a Netscape Object Signing software publishing digital ID, and a DOS program called
Note: VeriSign is the CA that I used for my certificates. Although it was one of the first, it now has competitors. You can check Netscape's list of CAs which support their products at <https://certs.netscape.com/client.html>, or you can check the Vendors section in the Links page.
Note: VeriSign used to have a Class 2 digital ID, for use by individual developers. It could be obtained in a manner of minutes, and cost $20/year. They're no longer offering this level of ID; my guess is too many people were buying Class 2 IDs rather than the (much more profitable) Class 3 IDs. Oh, well...
When you've received your ID, it will be automatically installed in a pair of files called "cert7.db" and "key3.db", both in (probably) "C:\Program Files\Netscape\users\<yourName>". This is the digital certificate database used directly by Navigator. You don't need to export anything, but when you use the code signing tools below you'll need to specify this directory, the name of the ID to use within the database, and the password for the database (if any). (Make a backup copy of the two .db files in case things get wiped out.)
Note: you can also create your own test certificates. For more information, see Creating and Installing Test Certificates.
Note: you can use
Make sure that
Create a top-level directory for the signing. Within that directory, create a subdirectory containing all the .class files for your applet (I called mine "MyApplet"). Within the subdirectory, place copies of all .class files in their directories. Top level .class files should be right inside this directory, and all package .class files should be in subdirectories with the package names (e.g. all my "util" package .class files are inside the directory "MyApplet\util").
For each browser user, Netscape maintains a directory holding various items, including that user's digital ID database. You'll need to specify this directory when using the code signing tool so that the tool will be able to find the public and private components of your key.
This directory is (usually) "c:\program files\netscape\users\<yourName>". To make sure, search for a directory containing the files "cert7.db" and "key3.db" (which contain your public certificate and private key, respectively). For safety, you might want to copy these files to a secure place.
Now that you've found the digital ID database, you need to know the exact name of your digital ID. To do this, use
signtool -d"<DATABASE directory>" -L
In my case, I typed this:
signtool -d"c:\program files\netscape\users\griscom" -L
using certificate directory: c:\program files\netscape\users\griscom S Certificates - ------------ AT&T Certificate Services Thawte Personal Premium CA GTE CyberTrust Secure Server CA Verisign/RSA Commercial CA AT&T Directory Services GTIS/PWGSC, Canada Gov. Web CA Thawte Personal Freemail CA Thawte Server CA GTIS/PWGSC, Canada Gov. Secure CA MCI Mall CA VeriSign Class 4 Primary CA United States Postal Service CA KEYWITNESS, Canada CA Netscape Export Control Policy CA BBN Certificate Services CA Root 1 Thawte Personal Basic CA CertiSign BR VeriSign Class 3 Primary CA Canada Post Corporation CA Integrion CA IBM World Registry CA Uptime Group Plc. Class 1 CA VeriSign Class 1 Primary CA VeriSign Class 2 Primary CA VeriSign, Inc. - VeriSign, Inc. Uptime Group Plc. Class 2 CA Thawte Premium Server CA Uptime Group Plc. Class 3 CA Verisign/RSA Secure Server CA GTE CyberTrust Root CA Uptime Group Plc. Class 4 CA * Daniel T Griscom's VeriSign Trust Network ID ------------
So: my ID name is "Daniel T Griscom's VeriSign Trust Network ID", and can be used for signing (phew). Note the list of the CAs who's CA certificates are installed in my browser, ready to validate digital IDs. If you only want to see the signing certificates, you can use
If you have set a Navigator/Communicator password, you'll need this password for access to the database. Being a trusting soul I haven't set one, so the batch file below shows an empty password. If you have set one, you can include it in the batch file (which is insecure), or remove the password argument from the
Note: I have had a report that
Life's a lot easier when you let the computer do the grunt work. So, here is a DOS batch file that creates a signed .jar archive for all files in a given subdirectory. Create the following DOS batch file called
@ECHO OFF REM Script to make a directory into a signed .jar file. Takes the directory name as REM its argument; creates a .jar file of the same name in the directory above the REM specified one. Note: must be run in directory above directory to be signed. REM I'll set up a couple of variables to make things more readable. You'll need to REM edit these values to match your setup. If you get an error such as REM "Out of environment space" then you'll have to increase your environment space. REM (Boy, do I love DOS.) REM This is the location of the digital signature database SET ID_LOC="c:\program files\netscape\users\griscom" REM This is the name of the digital ID to be used SET ID_NAME="Daniel T Griscom's VeriSign Trust Network ID" REM This is the password for the database. I haven't set one for mine, REM so I don't need anything here (the single space is ignored). SET ID_PASSWD=" " REM This is the compression level for the final .jar file. 0 means no REM compression, 9 means highest compression. Note! it used to be REM that .jar files had to have no compression to work, but now it seems REM that it's OK. I don't know when this changed, or with what version REM of Navigator. signtool's default value is 6. Be warned, and try out REM whatever you decide. SET COMPRESSION=9 REM signtool signs the directory and creates the .jar archive. REM Arguments: REM -d[text] Directory holding digital signature database REM -k[text] Name of ID in digital signature database REM -p[text] Password for the database. NOTE! to be more secure, remove REM this argument and you'll be prompted for the password. REM -Z[text] Name of .jar file to be created REM -c[digit] Compression level ("0" - none, "9" - highest). REM [rest] Name of directory to be signed ECHO *********** About to sign directory using signtool *********** signtool -d%ID_LOC% -k%ID_NAME% -p%ID_PASSWD% -Z %1.jar -c%COMPRESSION% .\%1 REM Punt the various environment variables SET ID_LOC= SET ID_NAME= SET ID_PASSWD= SET COMPRESSION= ECHO *********** Done creating .jar archive ***********
Change the ID_LOC, ID_NAME and ID_PASSWD values to correspond to your digital ID directory, name and password, respectively. Make sure that
Note: including your password in the text of
Note! Before you run
Change to the directory that contains the directory containing your applet's .class files. Then, run
You'll see lots of messages scroll up the screen. When done, a new archive with the applet directory's name and the suffix ".jar" will be created.
The first time you create a signed archive you'll want to verify it. Do this by using the -w option for
signtool -d"c:\program files\netscape\users\griscom" -w MyApplet.jar
Note: you'll have to change the -d argument to match your own digital ID database directory. You might want to make the following one-line batch file, named
signtool -d"c:\program files\netscape\users\griscom" -w %1.jar
(again, change the directory name), and then use it thusly:
If the archive is signed properly, you'll get a printout of the contents of the signing ID. If not, you won't.
Put the signed .jar archive into the web server directory containing the main class of your applet. Change the .html file that invokes the applet so that it mentions the archive:
<title>My Wonderful Signed Applet</title> <hr> <applet code="MyApplet.class" ARCHIVE="MyApplet.jar" width=600 height=350> </applet> <hr>
If you sign your applet but you still get security exceptions when you run your applet then you code may not be properly using the Netscape Capabilities API to request privileges. Another clue is that you never see Navigator's security dialog, even when your code tries to do secure things. For information on the Capabilities API, see Netscape's document Java Capabilities API at <http://developer.netscape.com/library/documentation/signedobj/capsapi.html>, or Joe Bowbeer's article Signing Applets for Internet Explorer and Netscape Navigator at <http://ourworld.compuserve.com/homepages/jozart/article/index.html>.
A similar error message may indicate that your CA's certificate in your browser isn't marked for certifying software developers. Open the Security Info window, click on "Certificates/Signers" in the left column, select your CA in the list, and then click "Edit". Find the checkbox marked "Accept this Certificate Authority for Certifying software developers" and make sure it is checked.
If all else fails, then try this: at each step in the signing process, substitute information that you know is wrong. Examples: put in incorrect passwords, change file names, change paths, rename files, etc. If this changes the results (new error message, different error message, etc.) then your original information was probably correct. If not, then either the problem is occurring before that step, or your original information was itself wrong.
Although it should, Navigator 4.0 doesn't automatically load .gif (and probably .jpg) images from archives. You can, however, write code that will fetch .gif images from your applet's .jar archive. The process is explained in this JavaWorld article: <http://www.javaworld.com/javaworld/jw-07-1998/jw-07-jar.html>.
Files with the suffix
If you don't have a digital ID, or you don't want to re-sign your applet again and again while developing, there is hope. Check out the Netscape tech note Activating Codebase Principals, at <http://developer.netscape.com/library/technote/security/sectn2.html>. By default, Navigator will let you trust applets with a given digital signature, or from your local hard disk (using
Sub-note: although the Activating Codebase Principals tech note tells you to edit the text file "prefs.js", this isn't always true. On the Macintosh, for instance, you must edit the file "Netscape Preferences", which isn't registered as a text file at all (you must force a text editor to open it, although once open it's fine). Good luck.
You can also use
Next section: Writing code for Microsoft Internet Explorer
|Copyright © 2012 Daniel Griscom||Site design myriadweb.com|