I think I finally managed to do it following this procedure:

我想我终于按照以下程序设法做到了：

• Installed the certificate provided by Certum in Chrome through their web site interface
• Exported the private key as a .pfx from Chrome (Settings, Manage certificates, Export, Export the private key, PKCS#12, ...)
• Used KeyTool GUI (java fronted GUI for keytools) to create a complete p12: imported Certum root certificate as a trusted certificate, imported intermediate certificates as trusted certificates, imported my .pfx as a key pair
• Signed the jar with this p12

• 通过他们的网站界面在 Chrome 中安装了 Certum 提供的证书
• 将私钥从 Chrome 导出为 .pfx（设置、管理证书、导出、导出私钥、PKCS#12、...）
• 使用 KeyTool GUI（keytools 的 Java 前端 GUI）创建完整的 p12：导入 Certum 根证书作为可信证书，导入中间证书作为可信证书，导入我的 .pfx 作为密钥对
• 用这个 p12 在罐子上签名

Seems to work for me, I'm waiting for other users feedback to be sure that it works for them also.

似乎对我有用，我正在等待其他用户的反馈以确保它也适用于他们。

Edit: I tried again to export the certificate from Chrome, and I saw that there's an option to include the certificate chain in the export. When doing this, I don't even need to use the KeyTool GUI afterwards. I've redeployed the test version signed with this new p12 :

编辑：我再次尝试从 Chrome 导出证书，我看到有一个选项可以在导出中包含证书链。这样做时，我什至不需要之后使用 KeyTool GUI。我已经重新部署了用这个新 p12 签名的测试版本：

• Installed the certificate provided by Certum in Chrome through their web site interface
• Exported the private key as a .pfx from Chrome (Settings, Manage certificates, Export, Export the private key, PKCS#12 + include certificate chain, ...)
• Signed the jar with this p12

• 通过他们的网站界面在 Chrome 中安装了 Certum 提供的证书
• 将私钥从 Chrome 导出为 .pfx（设置、管理证书、导出、导出私钥、PKCS#12 + 包括证书链、...）
• 用这个 p12 在罐子上签名

I solved the same problem on mine today with this :

我今天用这个解决了同样的问题：

Manifest-Version: 1.0
Trusted-Library: true
Application-Library-Allowable-Codebase: *
Trusted-Only: false
Application-Name: My app
Permissions: all-permissions
Created-By: 1.6.0_16 (Sun Microsystems Inc.)
Caller-Allowable-Codebase: *
Codebase: *

I'm waiting for other users feedback to be sure that it works for them also.

我正在等待其他用户的反馈，以确保它也适用于他们。

Based on JaNeLA for the file - valid JNLP. Most importantly known publisherfor WikiCleanerTest..

基于文件的 JaNeLA - 有效的 JNLP。最重要的是WikiCleanerTest 的知名出版商..

So there is one result of 'seems to work here for identifying the publisher'. Great work and thanks for description of the process.

所以有一个结果“似乎在这里可以识别发布者”。很棒的工作，感谢您对过程的描述。

Works so much better than the one I looked at before. :P

比我以前看过的要好得多。:P

Jarsigner -verify

Jarsigner - 验证

s     292828 Sun Oct 20 17:57:58 EST 2013 META-INF/MANIFEST.MF
      292645 Sun Oct 20 17:57:58 EST 2013 META-INF/WPCLEANE.SF
        2017 Sun Oct 20 17:57:58 EST 2013 META-INF/WPCLEANE.RSA
           0 Sun Oct 20 17:57:52 EST 2013 META-INF/
           0 Wed Feb 11 15:04:50 EST 2009 META-INF/maven/
           ..
           0 Sun Oct 20 17:57:32 EST 2013 org/xnap/commons/i18n/
sm      2837 Thu Sep 09 16:00:54 EST 2004 META-INF/info.xml
..
sm       214 Wed Feb 11 00:57:02 EST 2009 org/xnap/commons/i18n/LocaleChangeListener.class

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Warning: 
This jar contains entries whose certificate chain is not validated.

Re-run with the -verbose and -certs options for more details.

I understand the warning:

我理解警告：

This jar contains entries whose certificate chain is not validated.

此 jar 包含未验证证书链的条目。

..can be ignored.

..可以忽略。

JaNeLA Report

贾内拉报告

JaNeLAshows one error.

JaNeLA显示一个错误。

JaNeLA Report - version 11.05.17

Report for http://site4145.mutu.sivit.org/WikiCleaner/WikiCleaner.jnlp

cvc-complex-type.2.4.a: Invalid content was found starting with element 'homepage'. One of '{description, icon, offline-allowed, shortcut, association, related-content}' is expected.
cvc-complex-type.2.4.a: Invalid content was found starting with element 'homepage'. One of '{description, icon, offline-allowed, shortcut, association, related-content}' is expected.

XML encoding not known, but declared as utf-8
Codebase + href 'http://site4145.mutu.sivit.org/WikiCleaner.jnlp' is not equal to actual location of 'http://site4145.mutu.sivit.org/WikiCleaner/WikiCleaner.jnlp'.
Desktop icons were subject to bug nnnn in earlier J2SE versions
Optimize this application for off-line use by adding the <offline-allowed /> flag.
'short' description is longer than 'default' description.
Downloads can be optimized by specifying a resource size for 'WikipediaCleaner.jar'.
The resource download at WikipediaCleaner.jar can be optimized by removing the (default) value of download='eager'.
Lazy downloads might not work as expected for WikipediaCleaner.jar unless the download 'part' is specified. 
Resource type png of resource commons-nuvola-web-broom.png is not one of the allowable types of gif, jpg, jpeg.
Downloads can be optimized by specifying a resource size for 'commons-nuvola-web-broom.png'.
Icon loading & use can be optimized by specifying the width and height for commons-nuvola-web-broom.png

See the JNLP validated, and a corrected version with tweak, below.

请参阅下面的 JNLP 验证和经过调整的更正版本。

Launch

发射

But here is the real bad news:

但这里是真正的坏消息：

Here are some details of the certificate:

以下是证书的一些详细信息：

• Nicolas Vervelle (Nicolas Vervelle)

  • Subject:CN=Nicolas Vervelle, OU=WikipediaCleaner, O=WikipediaCleaner, L=Paris, ST=France, C=FR

• 尼古拉斯·维尔维尔 (Nicolas Vervelle)

  • 主题：CN=Nicolas Vervelle，OU=WikipediaCleaner，O=WikipediaCleaner，L=巴黎，ST=法国，C=FR

Out Of Date Java

过时的 Java

Here is a strange warning I do not understand..

这是一个奇怪的警告，我不明白..

The app. is requesting 1.5.0+ so any version 1.7+ should be accepted without question.
It claims to be requesting 1.6 (probably because I have no 1.5 run-time installed). The only thing I can think is triggering the warning is the inclusion of a micro-version, which is unnecessary.

应用程序。正在请求 1.5.0+，因此应该毫无疑问地接受任何 1.7+ 版本。
它声称要求 1.6（可能是因为我没有安装 1.5 运行时）。我唯一能想到的是触发警告是包含微版本，这是不必要的。

JNLP

JNLP

Here is the JNLP validated above:

这是上面验证的 JNLP：

<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.5+" codebase="http://site4145.mutu.sivit.org/WikiCleaner" href="WikiCleaner.jnlp">
  <information>
    <title>WPCleaner</title>
    <vendor>User:NicoV</vendor>
    <description>WPCleaner</description>
    <description kind="short">A tool for Wikipedia maintenance</description>
    <homepage href="http://en.wikipedia.org/wiki/WP:WPCleaner"/>
    <icon href="commons-nuvola-web-broom.png"/>
    <shortcut>
      <desktop/>
    </shortcut>
  </information>
  <security>
    <all-permissions/>
  </security>
  <resources>
    <j2se version="1.5.0+" java-vm-args="-Xmx512M"/>
    <jar href="WikipediaCleaner.jar" download="eager" main="true"/>
  </resources>
  <application-desc main-class="org.wikipediacleaner.WikipediaCleaner"/>
</jnlp>

Here is a suggested replacement. It is valid according to JaNeLA (bar warnings that we can ignore). It also includes another tweak to the minimum version attribute.

这是建议的替代品。根据 JaNeLA，它是有效的（我们可以忽略的条形警告）。它还包括对最小版本属性的另一个调整。

<?xml version="1.0" encoding="utf-8"?>
<jnlp spec="1.5+" codebase="http://site4145.mutu.sivit.org/WikiCleaner" href="WikiCleaner.jnlp">
  <information>
    <title>WPCleaner</title>
    <vendor>User:NicoV</vendor>
    <!-- Should be here.. -->
    <homepage href="http://en.wikipedia.org/wiki/WP:WPCleaner"/>
    <description>WPCleaner</description>
    <description kind="short">A tool for Wikipedia maintenance</description>
    <icon href="commons-nuvola-web-broom.png"/>
    <shortcut>
      <desktop/>
    </shortcut>
  </information>
  <security>
    <all-permissions/>
  </security>
  <resources>
    <!-- the micro-version request might be triggering the 
    Out-Of-Date Java version warning -->
    <j2se version="1.5+" java-vm-args="-Xmx512M"/>
    <jar href="WikipediaCleaner.jar" download="eager" main="true"/>
  </resources>
  <application-desc main-class="org.wikipediacleaner.WikipediaCleaner"/>
</jnlp>

[Update 2017]Open Source code signing from Certum now uses a cryptographic flash card as a Private Key and must be plugged-in for certificate activation & installation, as well as for code signature. The key costs 125$ (+ shipping fee) and the 1-year certificate alone costs 40$. You can ask for a discount.

[2017 年更新]Certum 的开源代码签名现在使用加密闪存卡作为私钥，并且必须插入以进行证书激活和安装以及代码签名。密钥的价格为 125 美元（+ 运费），仅 1 年期证书的价格为 40 美元。你可以要求打折。

Here are the following steps to sign your jar file from scratch.

以下是从头开始签署 jar 文件的以下步骤。

Instructions

指示

Instructions in English are hard to find and not up to date. The following procedure is based on these 2 documents:

英文说明很难找到，而且不是最新的。以下程序基于这两个文件：

• Partial Instructions for Installation and Activation (English)- The part about file "bundle.pem" is missing.
• Complete Instructions for Installation and Activation (Polish)

• 安装和激活的部分说明（英文）- 关于文件“bundle.pem”的部分丢失。
• 安装和激活完整说明（波兰语）

Create, activate and install your certificate:

创建、激活和安装您的证书：

1. Go on the "Certum Certification" website in the "OpenSource Code Signing" sectionand order your certificate.
2. Once the cryptographic flash card is received (it took 15 days for me), plug it, install the driver and the proCertum CardManagersoftware from the card.
3. Go to your Certum account and follow the activation process of your newly ordered certificate.

1. 转到“开源代码签名”部分中的“Certum 认证”网站并订购您的证书。
2. 收到加密闪存卡后（我花了 15 天），插上它，从卡上安装驱动程序和proCertum CardManager软件。
3. 转到您的 Certum 帐户并按照新订购的证书的激活过程进行操作。

Tip:The CryptoAgent Java Web Start application runs only with a JDK (not JRE) < 9 (so, JDK 7 or 8).

提示：CryptoAgent Java Web Start 应用程序仅在 JDK（而非 JRE）<9（因此，JDK 7 或 8）下运行。

1. You'll receive a mail asking for some official documents (ID card, rent bill, etc.) and an e-mail verification procedure.
2. Send the activation required documents and information. You'll receive another mail asking for installing the certificate (the verification was done within 1 hour).
3. Install the certificate on the cryptographic card following the procedure Storing the Certificate on the card(see the instructions in English, part 4)

4. 您将收到一封邮件，要求您提供一些正式文件（身、租金账单等）和电子邮件验证程序。
5. 发送激活所需的文件和信息。您将收到另一封要求安装证书的邮件（验证在 1 小时内完成）。
6. 按照在卡上存储证书的过程在加密卡上安装证书（参见英文说明，第 4 部分）

Obtain the file "bundle.pem"

获取文件“bundle.pem”

This file is mandatory for obtaining a valid certificate chain when signing your application (see the part 7.1.2 in the instructions in Polish).

在签署您的应用程序时，为了获得有效的证书链，此文件是必需的（请参阅波兰语说明中的第 7.1.2 部分）。

Basically, it consists of concatenating in a plain text format file 1) your certificate and 2) the Certum Code Signing CA SHA2public key.

基本上，它包括在纯文本格式文件中连接 1) 您的证书和 2) Certum 代码签名 CA SHA2公钥。

1. Open proCertum CardManager>> Read Card>> tab Common>> Select your certificate and click "Show details"
2. Export your certificate: x509 - base-64
3. Download the Certum Code Signing CA SHA2in PEM format (from the list of root certificatesof Certum).
4. Create the text file "bundle.pem" by concatenating these 2 certificates (first your certificate and second the Certum certificate).

1. 打开proCertum CardManager>> Read Card>> tab Common>> 选择您的证书并点击“Show details”
2. 导出您的证书：x509 - base-64
3. 下载PEM 格式的Certum 代码签名 CA SHA2（从Certum的根证书列表中）。
4. 通过连接这两个证书（首先是您的证书，其次是 Certum 证书）来创建文本文件“bundle.pem”。

Sign your jar file with Jarsigner

使用 Jarsigner 签署您的 jar 文件

1. Create the "provider.cfg" file as explained in the point 7.2 of the instructions in English.
2. You need the aliasof your certificate (and not the owner name) to sign your jar. To obtain it execute the following command:

1. 按照英文说明的第 7.2 点中的说明创建“provider.cfg”文件。
2. 您需要证书的别名（而不是所有者名称）来签署您的 jar。要获取它，请执行以下命令：

keytool -list -v -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg "provider.cfg" -storepass "[your_pin]"

1. Once you got the alias, the provider.cfgand bundle.pemfiles ready, just sign your jar with the following command:

3. 一旦你得到了别名，该provider.cfg和bundle.pem文件准备就绪，只需登录使用以下命令你的罐子：

jarsigner -keystore NONE -certchain "bundle.pem" -tsa "http://time.certum.pl" -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg "provider.cfg" -storepass "[your_pin]" "[your_code].jar" "[your_alias]"

Personally, I use an Ant script to sign my application jar files. See signjar taskfrom ANT project.

就个人而言，我使用 Ant 脚本对我的应用程序 jar 文件进行签名。请参阅ANT 项目中的signjar 任务。

As mentioned here, to remove the UNKNOWN PUBLISHER warning you can add the certificate you used to sign the jar into the Signer Jar of the Java Control Panel: Configure Java -> Security -> Manage Certificates -> Signer Jar option -> Import.

如前所述这里，除去未知发布者警告您可以添加使用的jar登录到Java控制面板的签名者罐证书：配置Java - >安全- >管理证书- >签署者瓶选项- >导入。

On Linux, the following procedure worked for me. It is based on the answer by Eric David.

在 Linux 上，以下过程对我有用。它基于 Eric David 的回答。

Get your Certificate

获取您的证书

Go on the "Certum Certification" website in the "OpenSource Code Signing" section. Buy a certificate and follow the creation procedure.

转到“开源代码签名”部分中的“Certum 认证”网站。购买证书并遵循创建程序。

Get the Public Key for Code Signing

获取代码签名的公钥

Get the Public Key of Certum Code Signing CA, probably the CA SHA2 key cscasha2.cer.

获取Certum 代码签名 CA 的公钥，可能是 CA SHA2 密钥cscasha2.cer。

Convert the certificate to pkcs12 format

将证书转换为pkcs12格式

• Import your own certificate (the one you got from Certum) into Firefox:
  menu item settings - advanced - certificates - show certificates.
• Import the CA SHA2 puplic key (used by Certum to sign your certificate):
  tab cert. authorities - import.
• Verify. It should tell that it has been verified:
  tab own certificates - show.
• Export the certificate:
  tab own certificates - save - as pkcs12 (e.g. to mycert.p12)

• 将您自己的证书（您从 Certum 获得的证书）导入 Firefox：
  菜单项设置 - 高级 - 证书 - 显示证书。
• 导入 CA SHA2 公钥（由 Certum 用于签署您的证书）：
  tab cert。当局 - 进口。
• 核实。它应该告诉它已经过验证：
  选项卡自己的证书 - 显示。
• 导出证书：
  选项卡自己的证书 - 保存 - 为 pkcs12（例如到 mycert.p12）

Convert from pkcs12 format to jks format

pkcs12格式转jks格式

Find the alias used in your pkcs12 file. It will be similar to "unizeto technologies s.a. id von open source developer, YOUR NAME".

找到 pkcs12 文件中使用的别名。它将类似于“ unizeto 技术 sa id von open source developer, YOUR NAME”。

keytool -list -v -storetype pkcs12 -keystore mycert.p12 > out.txt
grep Aliasname out.txt

Then convert the pkcs12 file into java's jks format. This step could be omitted, but once done it is convenient.

然后将pkcs12文件转成java的jks格式。这一步可以省略，但是一旦完成就很方便了。

keytool -importkeystore -srckeystore mycert.p12 -srcstoretype pkcs12 -srcalias "ALIASNAME" -destkeystore mycert.jks -deststoretype jks -deststorepass PASSWORD -destalias SHORTALIAS

Sign your jar file

签署您的 jar 文件

To avoid warnings to the webstart user, the jar manifest file should contain the following attributes:

为避免向 webstart 用户发出警告，jar 清单文件应包含以下属性：

• Application-Name: APPNAME
• Permissions: all-permissions
• Codebase: URL
• Application-Library-Allowable-Codebase: URL

• 应用名称：APPNAME
• 权限：所有权限
• 代码库：URL
• 应用程序库允许代码库：URL

Sign your jar file using the following command:

使用以下命令对您的 jar 文件进行签名：

jarsigner -keystore mycert.jks -tsa http://time.certum.pl FILENAME.jar SHORTALIAS