Running a Java application with a verified digital signature is generally a pretty safe operation. Odds are you will indeed want to “always trust content from this publisher,” and once you indicate as much, the prompt disappears. The question is, how do we prevent it from occurring at all?
Technically speaking, there isn’t a way to suppress it. That is, you can’t configure Java to run these verified applications automatically regardless, with the registry, group policy, or otherwise. However, that is not to say we can’t hide the prompt from users anyway–it’s just a matter of addressing the discrepancy that invokes it. Essentially, we have to tell the machine to “always trust content from this publisher” in advance. It doesn’t suppress the prompt so much as it pre-answers it, and it unfortunately means you have to account for every Java application used in your environment, but the endgame is the same.
The first thing we need to do is acquire the application publisher’s certificate. If you are currently using a machine that does not prompt you when you run the application in question, skip this step.
If, however, you are using a machine which will prompt you as soon as you run the application, go ahead and make the prompt appear. Ensuring the aforementioned box is ticked, choose Run. The certificate is now stored accordingly.
Now open your Java Control Panel (the fastest way is to right-click the tray icon, which appears when any Java application is running). Navigate to the Security tab and click the Certificates… button. Identify the cert that you just stored and click Export to save it to disk. Make sure you save it as a .cer file.
Alternatively, if you skipped step #1 and you do not see the certificate on that page, you can open a command prompt as an administrator and run certmgr. From there, navigate to the Trusted Publishers/Certificates store on the left, right click the respective cert and choose All Tasks > Export. The default values in the Wizard are all fine, just choose where you want to save it.
Now it’s just a matter of storing the certificate for future use. You can either import the cert manually on a master image or individual endpoint, or even by throwing the cert on a network share and storing it dynamically with a logon script or with AppSense. To store the certificate, you can simply right-click the file and choose Install Certificate, or if you want to use the command line, you can install it with the following command:
certutil –addstore –f “TrustedPublisher” /path/to/yourcert.cer
That’s it! Again, remember that you will need to do this for every application for which you want to suppress the prompt. The same methodology can likely be applied to certificates which are not verified, but that’s a security risk you may not want to consider. Let me know if you find a way to actually suppress the prompt as opposed to just working around it, or if I lost you somewhere.