Basically Oracle states that the self-contained applications ( which I want to use ) will run in a sandbox environment and will not have access to OS file system, clipboard, etc unless you sign the jar. The code from their samples is:
<fx:signjar keyStore="${basedir}/sample.jks" destdir="dist"
alias="javafx" storePass="****" keyPass="****">
<fileset dir='dist/*.jar'/>
</fx:signjar>
But this does signing only for main jar I think. I also have some libraries in dist/lib folderso I'm using this code to add them to my main jar:
<fx:resources>
<fx:fileset dir="dist" includes="lib/*.jar"/>
</fx:resources>
Do I have to add another fileset to the fx:signjar, in order to sign them too or it is enough to sign the main jar only?
Regards, Aurelian
If you need to sign your app, sign all of your jars, not just the main jar.
For browser embedded or webstart type deployments which need to operate outside of their respective sandboxes, you can sign just one jar and not sign others, but that will result in confusing mixed code warning dialogs for the end user and is not at all recommended.
For example the following fileset will include all of your distribution jars for signing:
<fileset dir='dist' includes='**/*.jar'/>
Jars do not need to be signed for self-contained applications to access privileged resources as they do not run within a sandbox by default.
Some application platforms (such as the OS X Gatekeeper) may benefit from signing of the self-contained application using a platform specific tool. But such signing is outside the scope of the JavaFX 2.2.3 packaging tools.