Unidentified developer for Java Web Start application on OS X

Question 1

Apple does appear to support signing of webstart -- but not directly. You have to bundle it in an archive. See the note at the bottom of this page:

You can use the codesign utility to sign the JNLP file, which will attach the code signature to the JNLP file as extended attributes. To preserve these attributes, package the JNLP file in a ZIP, XIP, or DMG file. Be careful using the ZIP format, as some third-party tools might not capture the required extended attributes correctly.

Also note that XIP isn't supported for non-Apple developers anymore:

Important: Starting with macOS Sierra, only XIP archives signed by Apple will be expanded. Developers who have been using XIP archives will need to move to using signed installer packages or disk images.

Question 2

In the latest OSX releases, Apple has changed it's security model to only support applications from the Mac App Store and identified developers. In most cases, this prohibits jnlp/java-web-start applications from launching.

If this is a trusted application, you may override these settings by updating your system settings as follows:

System Preferences -> Security & Privacy -> (Unlock Window) -> Allow apps downloaded from: (Select Anywhere)

Settings Screen Shot

In some cases you may need to update your Java Security preferences too

System Preferences -> Java -> Security -> (Select Medium)

Settings Screen Shot

Be careful when adjusting these. These settings will open you up to popular attack vectors where an attacker can exploit vulnerabilities within the java runtime (Java 0 days).

Question 3

Here is a related post. It doesn't appear to be possible to bypass the security, Allow All, workaround.

OS X 10.8 Gatekeeper and Java applets

From Apple Tech Support in the post above.

Unidentified developer" means a source other than the Mac App Store or a Developer ID-identified developer. Note that Java applets cannot participate in the Developer ID program.

I am considering building a native app and use a custom web protocol instead similar to skype where you see skype:// in the URI. It doesn't seem like Apple will change their stance on java applets in the near future. It will most likely become more restricted and eventually just disabled like flash on iOS.

Question 4

The answers to How to sign (dynamic) JNLP files for OSX and Gatekeeper address this question, just ignore the 'dynamic' aspect.

You can codesign -f -s "Developer ID Application: " application.jnlp but the HFS resource won't transfer with the file over the web.

Until Oracle works out a solution, if they ever do, addressing JNLP/Web Start it looks like we have to figure out a work-around that starts us down the path to creating a Mac app bundle.

Question 5

This seems to have changed in OS X 10.10. Now after going to System Preferences -> Security & Privacy -> (Unlock Window) -> Allow apps downloaded from: (Select Anywhere) (after trying to run the .jnlp file) you'll see an option to "Run anyway".

Question 6

Sadly Apple has removed the Anywhere option under System Preferences -> Security & Privacy in macOS Big Sur versions.

Below is a very simple way on How to override MacOS security settings for unsigned jnlp files when you get the following message:

"file-name.jnlp" cannot be opened because it is from an unidentified developer. macOS cannot verify that this app is free from malware.

Follow the steps below to override the system security settings:

ensure the jnlp file has been downloaded (normally in Downloads folder)
find the file in Finder and use Control + click and then Open
you should get slightly different dialog with the Open button allowing you to override the system security settings and execute the file.

Reference

Also you may need to download OpenWebStart for macOS