Keep getting "JNLPSigningException [Failed to validate signing of launch file]" when launching a JNLP signed by template

Yego picture Yego · Oct 22, 2013 · Viewed 9.7k times · Source

We decided to sign our JNLP files by following this oracle guide. Since we have different JNLPs, we went for the second approach (Signing a JAR file with a JNLP template).

Here's the code we extracted into the template:

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="*" href="*">
  <information>
    <title>*</title>
    <vendor>My vendor</vendor>
    <description>My description</description>
    <icon href="splash.jpg" kind="splash" width="700" height="400" size="115258"/>
    <offline-allowed />
    <shortcut>
      <menu submenu="My submenu"/>
    </shortcut>
  </information>

  <security>
    <all-permissions/>
  </security>

  <resources locale="en es ja">
    <j2se version="1.6+" initial-heap-size="128m" max-heap-size="384m" href="http://java.sun.com/products/autodl/j2se"/>
    <jar href="myjar.jar" main="true" download="lazy" part="core" size="*"/>
    <jar href="lib/commons-lang-2.6.jar" download="lazy" part="commons" size="297085"/>
    ...
    <jar href="lib/trident-6.0.jar" download="lazy" part="core" size="114496"/>
    <property name="jnlp.myProperty" value="*"/>
    <property name="log4j.configuration" value="*"/>
  </resources>

  <application-desc main-class="com.mycom.myapp.MyClass">
  </application-desc>
</jnlp>

... and here's one of the JNLPs we are actually using:

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="http://mylocation.mycom.com/jnlp/myapp/" href="myapp.jnlp">
  <information>
    <title>My App - Production version</title>
    <vendor>My vendor</vendor>
    <description>My description</description>
    <icon href="splash.jpg" kind="splash" width="700" height="400" size="115258"/>
    <offline-allowed />
    <shortcut>
      <menu submenu="My submenu"/>
    </shortcut>
  </information>

  <security>
    <all-permissions/>
  </security>

  <resources locale="en es ja">
    <j2se version="1.6+" initial-heap-size="128m" max-heap-size="384m" href="http://java.sun.com/products/autodl/j2se"/>
    <jar href="myjar.jar" main="true" download="lazy" part="core" size="4189501"/>
    <jar href="lib/commons-lang-2.6.jar" download="lazy" part="commons" size="297085"/>
    ...
    <jar href="lib/trident-6.0.jar" download="lazy" part="core" size="114496"/>
    <property name="jnlp.myProperty" value="http://mylocation.mycom.com/jnlp/myapp/MyApp.properties"/>
    <property name="log4j.configuration" value="http://mylocation.mycom.com/jnlp/myapp/log4j.xml"/>
  </resources>

  <application-desc main-class="com.mycom.myapp.MyClass">
  </application-desc>
</jnlp>

notice that I used the wildcard(*) for:

  1. The codebase attribute in tag jnlp
  2. The href attribute in tag jnlp
  3. Content inside title tags
  4. attribute size in jar tag
  5. the value of the two properties

I put the template inside the appropriate JNLP-INF folder (with the appropriate name as well) and we signed the JAR after that. However, we keep getting a JNLPSigningException with the following message:

Failed to validate signing of launch file. The signed version does not match the downloaded version.

Does anyone have an idea of what am I missing?

Answer

gateslinger picture gateslinger · Jan 22, 2014

I had this same issue, but it turned out that my src/JNLP-INF/APPLICATION.JNLP file included in the signed .jar file (used as a signed jnlp file) was different than the application.jnlp file being used in the web application defined in the <applet> tags. Once I made them the same, error went away.

Word of caution using signed JNLP files within the .jar file, the file needs to be named exactly JNLP-INF/APPLICATION.JNLP as it is used as a template to match the jnlp being called within the application: