What is the usual digital signing strategy for packaging 3rd party plugins?
My webstart application uses a number of extensions in its JNLP to make use of various libraries. For instance, the application is built using Eclipse's equinox technology and therefore some of the JAR's are signed with an Eclipse signature. It is awkward though that upon installation Java asks 'Do you want to run this application?', Name: MyApplication, Publisher: Eclipse.org Foundation, Inc. Obviously this could be confusing for the end user to think that MyApplication was written by Eclipse.org.
Short of personally compiling and signing all packages from scratch with my own certificate, what is the best solution for this situation?
I tried simply signing the already signed Eclipse jar, but when I run jarsigner, I get: " invalid SHA1 signature file digest"
