我正在尝试编写一个JAR文件的代码并使用JDK 1.7u1.我们获得了GoDaddy Code Signing证书,我按照说明(方法1)在这里:http://help.godaddy.com/article/4780
JAR签名很好,但每当我尝试运行命令时:
jarsigner -verify在我使用JDK 1.7u1签名的JAR上,我得到以下输出:
s 180 Mon Dec 05 10:24:32 EST 2011 META-INF/MANIFEST.MF
[entry was signed on 12/5/11 10:24 AM]
X.509, CN=Removed Company Name, O=Removed Company Name, L=Removed City, ST=Removed State, C=US
[certificate is valid from 12/2/11 4:30 PM to 12/2/13 4:30 PM]
X.509, SERIALNUMBER=00000000, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
[certificate is valid from 11/15/06 8:54 PM to 11/15/26 8:54 PM]
X.509, OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
[certificate is valid from 6/29/04 1:06 PM to 6/29/34 1:06 PM]
[CertPath not validated: null]
342 Mon Dec 05 10:24:34 EST 2011 META-INF/JAVACSC.SF
6180 Mon Dec 05 10:24:34 EST 2011 META-INF/JAVACSC.RSA
0 Mon Dec 05 10:24:30 EST 2011 META-INF/
sm 2161 Wed Nov 30 10:23:20 EST 2011 C:/Users/Seth/Desktop/JAR/RunAppSF.class
[entry was signed on 12/5/11 10:24 AM]
X.509, CN=Removed Company Name, O=Removed Company Name, L=Removed City, ST=Removed State, C=US
[certificate is valid from 12/2/11 4:30 PM to 12/2/13 4:30 PM]
X.509, SERIALNUMBER=00000000, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
[certificate is valid from 11/15/06 8:54 PM to 11/15/26 8:54 PM]
X.509, OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
[certificate is valid from 6/29/04 1:06 PM to 6/29/34 1:06 PM]
[CertPath not validated: null]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
Warning:
This jar contains entries whose certificate chain is not validated.
我也在jarsigner -verifyJDK 1.6u26和1.6u14上使用与上面相同的JAR 尝试了命令,它回来时没问题.(从1.6u26以下输出).
180 Mon Dec 05 10:24:32 EST 2011 META-INF/MANIFEST.MF
342 Mon Dec 05 10:24:34 EST 2011 META-INF/JAVACSC.SF
6180 Mon Dec 05 10:24:34 EST 2011 META-INF/JAVACSC.RSA
0 Mon Dec 05 10:24:30 EST 2011 META-INF/
sm 2161 Wed Nov 30 10:23:20 EST 2011 C:/Users/Seth/Desktop/JAR/RunAppSF.class
[entry was signed on 12/5/11 10:24 AM]
X.509, CN=Removed Company Name, O=Removed Company Name, L=Removed City, ST=Removed State, C=US
[certificate is valid from 12/2/11 4:30 PM to 12/2/13 4:30 PM]
X.509, SERIALNUMBER=00000000, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
[certificate is valid from 11/15/06 8:54 PM to 11/15/26 8:54 PM]
[KeyUsage extension does not support code signing]
X.509, OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
[certificate is valid from 6/29/04 1:06 PM to 6/29/34 1:06 PM]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
我是否错过了为获得JDK 1.7正确签名JAR而需要采取的额外步骤?
Ala*_*n P 81
我一直有同样的问题,如果它可以帮助其他人,问题在于jarsigner如何找到密钥库.
为了解决这个问题:
jarsigner -verify -keystore xxxx.jks mysignedjar.jar
gsb*_*bil 49
你没有遗漏任何东西,你绝对不会单独解决这个问题.在经过近12个小时的斗争之后,我发现问题的根源在于将二进制文件JDK 1.7与旧版本的Java 混合使用JRE-1.6.为了更准确,keytool自带JRE,而JDK同时附带了keytool和jarsigner.
因此,要解决此问题,我已完全JDK-1.7从我的系统中卸载并安装JDK-1.6 Update 30.现在,如果我这样做,jarsigner -verify -verbose -certs blah.jar它会产生jar verified没有任何警告我相信是你所期望的.
Dan*_*ato 19
这只是一个你可以忽略的警告.
如果您真的不想忽略它,那么在验证时告诉jarsigner密钥库的位置.
jarsigner -verbose -verify -keystore ${KEYSTORE_PATH} ${YOUR_JAR_FILE}
这只是JDK 7中的一项新功能.
小智 5
我在"DigiCert SHA2 Assured ID Code Signing CA"中遇到了类似的问题.所有oracle java版本以及OpenJDK都表现相同.Digicert的支持将我重定向到了这个页面,但是这里没有任何说明也没有帮助我完成验证过程.
我正在尝试签署一个applet,所以我需要它也可以在浏览器中验证,因此提供jarsigner -verify的密钥库路径的技巧不适用.
使用SHA2而不是SHA1操作证书时,主要问题似乎是keytool中的错误,因为对SHA1证书应用的相同步骤列表总是有效,对我来说从不对SHA2起作用.在我看来,keytool无法检测导入到jks的证书的"可链接性",因此jarsigner没有将正确的证书链嵌入到已签名的jar中,只有最终证书存储在META-INF/myalias中.相反,RSA文件(可通过openssl pkcs7 -in myalias.RSA -print_certs -inform DER -out certs.crt验证).
Digicert建议" ......我们有时会看到Root的问题实际上没有在第一次正确或完全导入,但运行指向Root的导入命令可以解决这个问题 ",即使这对我的情况也无济于事.
由于没有办法明确地向keytool说明哪些证书将在链中,我决定使用openssl构建一个链并将其导入如下:
cat TrustedRoot.pem DigiCertCA2.pem my.crt >chain
openssl pkcs12 -nodes -export -in my.crt -inkey my.key -out tmp.p12 -name myalias -certfile chain
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore tmp.p12 -srcstoretype PKCS12
在此之后mykeystore.jks似乎只包含我的证书,而不是DigiCertCA2或根据keytool -list命令列出的Root,但是使用-v(详细)它会公开链深度及其证书:
~/$ keytool --list --keystore mykeystore.jks -v|grep -e chain -e Certificate\\[
Enter keystore password: 123456
Certificate chain length: 3
Certificate[1]:
Certificate[2]:
Certificate[3]:
这就是jarsigned需要正确签署jar,即嵌入适当的证书链并使jar可验证也适用于最终浏览器用户.