In addition to general information about signing JAR files, here is a little more background on signing and the Java Web Start support in GlassFish.
Java Web Start enforces a security sandbox, in that it requires any code that uses elevated permissions to be loaded from signed JAR files. Signing a JAR uses a security certificate.
GlassFish will automatically sign the JARs that need signing (such as the app client JAR itself, for example) if you have not already signed them, so that your app client can run with the standard Java EE app client permissions (as described in the spec). GlassFish will use the default security certificate created when the domain is created, but you can specify a different certificate when you deploy the application.
Keep in mind that the GlassFish default security certificate is "self-signed," which means that no trusted certificate authority vouches for the authenticity of the cert. So end-users will be asked if they trust an application signed with that certificate. What some GlassFish administrators will do is load their own cert into GlassFish and then have GlassFish use that cert for auto-signing JARs. If the cert is from a trusted authority then the user will not even be prompted to accept or reject the app.
Hope that helps a little.
As others mentioned, though, signing the JARs yourself is not required because GlassFish will auto-sign the required JARs.
- Tim
[Message sent by forum member 'tjquinn' (timothy.quinn_at_sun.com)]
http://forums.java.net/jive/thread.jspa?messageID=377722