It appears that Glassfish signs the appclient jar automatically as per the following statement, which I reproduce from the article at
http://java.sun.com/developer/technicalArticles/J2EE/jws-glassfish/part4.html
[b]Auto-signed and Manually Signed JARs[/b]
Some of the GlassFish ACC code needs elevated permissions. In addition, some of the code triggered by your client code – such as code to communicate with an EJB on the back-end server – also needs elevated permissions. This is true whether you launch using the appclient command or the Java Web Start support. What is different is that, as we have just seen, the Java Web Start security rules require that code with elevated permissions be signed in order to run.
The GlassFish app server automatically signs the appserv-jwsacc.jar file that runs the ACC during a Java Web Start launch. When an end user uses Java Web Start software to launch an application client, the GlassFish server signs the generated application client JAR file for that application client, if it has not already done so. In both cases, the GlassFish server uses a self-signed certificate that it generates during creation of a GlassFish domain.
Your end users might not trust the self-signed GlassFish certificate. You can provide signed copies of these files yourself, using your own certificate, in which case the GlassFish server serves those files instead. You can sign the appserv-jwsacc.jar file any time after you have completed the GlassFish installation. Sign the generated application client JAR file any time after you have deployed the application that contains the application client. The GlassFish app server does not overwrite your signed files unless you redeploy the application, in which case you can simply sign the new generated application client JAR.
[Message sent by forum member 'vimalkansal' (vimalkansal)]
http://forums.java.net/jive/thread.jspa?messageID=220759