print

vTAS-JNLP

vTAS is a JAVA application developed by Yannick Raoul with the help of Martin Böehm, A. Filhol, Wolfgang Schmidt, Zita Hüsges, etc.

The main problem addressed here is the signing process for both the .jar and the .jnlp files.

Signing the .jar file

The .jar file is signed with the ILL certificat from Renater

jarsigner -J-Dhttp.proxyHost=proxy.ill.fr -J-Dhttp.proxyPort=8888 -tsa timestamp.digicert.com -keystore keystore.jks

vTAS.jar ILLCodeSigning
Enter Passphrase for keystore: xxxxxxxxxxxx
jar signed.

Signing the .jnlp file

macOS complains if the file vTAS.jnlp is not signed

Use the Terminal command line utility "codesign" to sign the JNLP file. Since the .jnlp file is a text file, the signature will be attached to the JNLP file as extended attributes. E.g.:

Unsigned file

$ xattr /Users/xxxxxx/Desktop/vTAS.jnlp
com.apple.metadata:kMDItemWhereFroms
com.apple.quarantine

Signed file

$ xattr /Users/xxxxxx/Desktop/vTAS.jnlp
com.apple.cs.CodeDirectory
com.apple.cs.CodeRequirements
com.apple.cs.CodeRequirements-1
com.apple.cs.CodeSignature       <------------ here!
com.apple.metadata:kMDItemWhereFroms
com.apple.quarantine

Since these extended attributes might be lost during file transfers, the JNLP file must be packaged in a ZIP, XIP, or DMG file.
A XIP would be perfect
   xip --sign "INSTITUT MAX VON LAUE - PAUL LANGEVIN (P65398CN49)" --keychain "/Users/filhol/Library/Keychains/login.keychain" vTAS.jnlp vTAS.xip
but starting with macOS Sierra, only XIP archives signed by Apple will be expanded.

Thus the only solution is a .DMG archive containing the signed .jnlp file.

JNLP on macOS

HTML code for the download button
https://docs.oracle.com/javase/tutorial/deployment/webstart/deploying.html

The JNLP process downloads the file vTAS-JNLP.dmg containing the signed file vTAS.jnlp. When clicked, vTAS.jnlp tries to access file:
https://www.ill.eu/fileadmin/user_upload/ILL/3_Users/Support_labs_infrastructure/Software-tools/vTAS/vTAS.jar
and compares its own contents to the jnlp stored inside the .jar file. If Okay, the JNLP process bundles the vTAS.jar into a macOS application vTAS.app and stores it in the cache. This bundle built on the fly has neither a version number nor a version string.
    /Users/xxxxx/Library/Application\ Support/Oracle/Java/Deployment/cache/6.0/bundles/vTAS.app

Other temporary files are kept in: /Users/xxxxxx/Library/Application Support/Oracle/Java/Deployment/cache

JNLP troubles with ILL's servers

Inside the ILL

  • the JNLP process is Okay. A functional vTAS.app is downloaded and a alias is automatically created on the desktop.

Outside the ILL

  • the JNLP process fails with the error message Unable to launch the application
    The details indicate that the problem is related to "Incapsula_resources". The access to vTAS.jar through bek4w.x.incapdns.net (incapsula.com) fails.
    It is important to note that www.ill.eu pings to bek4w.x.incapdns.net while www.ill.fr pings to nrelay.ill.fr
    Thus we shall try to use www.ill.fr instead of www.ill.eu in the vTAS.jnlp file.

Warning
If the JNLP succeeded once, a vTAS.app is store locally and hence the JNLP will always succeed.
To restore the original behavior for test purposes, go to:
     Java Control Panel / General / Temporay Internet Files
and delete vTAS.