I’m a little disturbed that by signing my jars and publishing them on the net, when users have accepted the certificate, any website can reference these jars with the certificate auto-accepted. Would hosting these by https help here? As I understand, you cannot mix webpages that use http and https.
What kind of misuse do you fear with that?
There is no difference in making a file available through HTTP or HTTPS.
Further, it’s not as simple as you seem to think. Code that attempts to use your signed code, must also be signed, by the other party, which has to be explicitly allowed by the user too. Especially since Java 1.6. update 19 you have a lot less options to run unsigned and signed code in the same application.
I also have a lot of message passing going between the applet and javascript. Would a foreign webpage over http, that includes my signed jars on https, be able to communicate with an instance of the applet?
Info on my project: I’m making a “traditional application” and is using the webbrowser for UI. Javascript does message passing between the applet and the browser. When I want to load a file, I message the applet to show the file dialog, but I was thinking of adding a disk browser (read/traverse only) in the webpage instead. That’s why I’m worried if other reference my jars and can get the same scripting capabilities on foreign sites.
just stick a ‘Trusted-Only: true’ attribute in the manifest of your signed jars. This way no unsigned jars can use your jars (or even start in the same jvm). Only foreign signed jars will be able to use them and in which can it doesn’t really matter if they use your jars or not since they are outside the java sandbox already.
Also, I’m getting a SSL certificate from Thawte for my domain. These don’t work for signing jars right? The seller also adverticed certificates for jars, but they were very expensive. Is self-signed that display my domain name just as good?
No, SSL Certificates can’t be used to sign jars. You’ll need a code signing certificate.
No not really, you’ll get a much more ugly(scary?) dialog with self signed jars then a proper certificate. Whether users really care about this is debatable (see minecraft, massively successful but still uses a self signed certificate).