Digital signing for webstart applications

Question

What is the usual digital signing strategy for packaging 3rd party plugins?

My webstart application uses a number of extensions in its JNLP to make use of various libraries. For instance, the application is built using Eclipse's equinox technology and therefore some of the JAR's are signed with an Eclipse signature. It is awkward though that upon installation Java asks 'Do you want to run this application?', Name: MyApplication, Publisher: Eclipse.org Foundation, Inc. Obviously this could be confusing for the end user to think that MyApplication was written by Eclipse.org.

Short of personally compiling and signing all packages from scratch with my own certificate, what is the best solution for this situation?

I tried simply signing the already signed Eclipse jar, but when I run jarsigner, I get: " invalid SHA1 signature file digest"

Answer 1

The maven and ant have the signjar plugin in which keystore(certificate) can be specified.

If you don't have one, use Java to make the keystore where you can type Publisher name into.