How exactly do I create a signed CAB for use in Internet Explorer?

John Zukowski



Internet Explorer supports signed CAB files, not signed JAR files. CAB is short for cabinet and is a Microsoft-only format. The tools for signing applets in CABs are found with Microsoft's SDK for Java and are part of Visual J++.

You'll need to get certificates from a CA for signing. If you previously acquired one for signing Netscape objects, you have to get a different one for signing Microsoft CAB files. Running your applets from the Microsoft's Developer Studio bypasses this requirement during testing. And, if you aren't testing from Visual J++, you can make a test Software Publisher Certificate (SPC) for testing purposes.

The steps for generating a testing certificate follow:

  1. makecert -sk JaneDoe -n "CN=Jane Doe" Doe.cer
    This makes certificate for key (-sk) identified by JaneDoe. The certificate subject is Jane Doe, and the certificate is stored in the file Doe.cer.
  2. cert2spc Doe.cer Doe.spc
    This converts the certificate file Doe.cer to the Software Publisher Certificate (SPC) file Doe.spc.

Now that you have a signing certificate, you can create a program. The following demonstrates reading a file from disk to work with Internet Explorer. You'll sign it and run it as a trusted object within Internet Explorer. Here is the source:

import com.ms.security.*;
import com.ms.security.permissions.*;
import java.io.*;
import java.awt.*;
import java.applet.*;

public class ReadFileIE extends Applet {
  public void init() {
    try {
      String filename = getParameter ("filename");


      FileReader fr = new FileReader (filename);
      BufferedReader br = new BufferedReader (fr);
      StringWriter sw = new StringWriter();
      String line;
      while ((line = br.readLine()) != null) {
        sw.write (line);
        sw.write ('
      setLayout (new BorderLayout());
      add (new TextArea (sw.toString()), BorderLayout.CENTER);
    } catch (IOException e) {
      System.err.println ("Error reading file");
  1. First, compile the source file. (Be sure Microsoft's class files are in your CLASSPATH.)
  2. Place the ReadFileIE.class file in a CAB.
    cabarc n readIE.cab ReadFileIE.class
  3. Sign it (don't worry about the options to signcode yet)
    signcode -j javasign.dll -jp low
      -spc Doe.spc -k JaneDoe readIE.cab
  4. Verify appropriate permission encoded
    chkjava readIE.cab

    This displays the warning message that would be displayed when the CAB file was loaded by Internet Explorer:

  5. Once you have a signed CAB file, create an HTML file that references it:
    <param name="cabinets" value="readIE.cab">
    <param name="filename" value="C:	empfile.txt">

    You can combine the archive parameter from Netscape with Microsoft's cabinets parameter and provide one HTML loader for the same applet, signed for each browser.

When you load the applet into Internet Explorer, you'll see the same image file shown above. Select Yes to see the applet run with the permissions granted. If you wish to restrict permissions, this is where the command-line options to signcode come in.

The -j javasign.dll option must always be there. It specifies the location of the DLL for doing the actual signing. Since the signing tool is usable with objects other than Java class files, this signs it with Java permission information.

The -jp low option specifies the Java permission level for the CAB file. When the applet within the CAB is run, IE checks what Zone the user is running in. Zones run from high risk, to medium risk, to low risk. If the user is running in a high-risk area (the Internet) and runs across an applet that has been signed for medium security, the user is prompted to grant permissions. On the other hand, if the user is running in a Low risk area, like a corporate intranet, for a medium security level signed CAB there would be no prompting. The applet would just run. For a more complete description, see Microsoft's Signing a Cabinet File with Java Permissions Using Signcode.

You can also timestamp your CAB files with another command line option -t and the URL of a timestamp server. Verisign offers one such server at http://timestamp.verisign.com/scripts/timstamp.dll.

If you wish to customize the permissions, instead of worrying about low, medium, or high, you can create an .INI file which contains the custom permissions. This has a side affect of only displaying the necessary permissions when the user is prompted for approval, instead of saying Full Permission for a -jp option of low.

For a list of all the permissions and their respective variables, see Microsoft's reference: Java Permissions .INI Values Reference. Also, their Sample Permissions .INI File serves as a good resource.

Once you've generated the .INI file, when you run signcode replace the permission level (low above) with the filename. Then, when the applet is loaded from the newly signed CAB file, Internet Explorer will show a much smaller prompt.

The piniedit tool, available with the 2.01+ SDK, can help you create the .INI file. It was not available with the 2.0 SDK.