是什么阻止 Java 使用多种签名算法验证签名的 jar [英] What prevents Java from verifying signed jars with multiple signature algorithms
问题描述
背景简介:我们发布了一个 webstart 应用程序,其中包括我们自己的应用程序 jar 和众多第三方 jar.Webstart 要求 jnlp 文件引用的所有分布式 jar 都由单个证书签名.因此,我们使用自签名证书对所有 jar(我们的 jar 和第三方 jar)进行签名.一些第三方 jar 已经由生产它们的一方签名,但我们只是再次签名,这很好用.直到现在.
Quick background: We release a webstart application, which includes our own application jars and numerous third-party jars. Webstart requires that all distributed jars referred to by the jnlp file be signed by a single certificate. We therefore sign all jars (our jars and the third-party jars) using a self-signed certificate. Some third-party jars are already signed by the party which produced them, but we just sign them again, and this works fine. Until now.
问题:我们最近从 Java 6 迁移到 Java 7,突然 webstart 拒绝加载一些 jar,抱怨:无效的 SHA1 签名文件摘要".这只发生在某些 jar 中,而其他 jar 不会发生,并且在那些失败的 jar 中出现的共同线索似乎是具有多个签名.
Problem: We recently moved from Java 6 to Java 7, and suddenly webstart is refusing to load some jars, complaining: "Invalid SHA1 signature file digest". This only happens for some jars and not others, and the common thread appears among those jars that fail appears to be having multiple signatures.
在 S.O. 上四处搜寻后在互联网上,Java jarsigner 的默认签名算法似乎在 Java 6 和 Java 7 之间发生了变化,从 SHA1 到 SHA256,并且很多人都建议使用jarsigner -digestalg SHA1"来解决验证问题.我试过了,果然我们的多重签名 jars 现在验证了.所以这似乎是解决我们问题的方法.
After searching around on S.O. and the internet, it appears that the default signature algorithm for Java's jarsigner has changed between Java 6 and Java 7, from SHA1 to SHA256, and various people are recommending using "jarsigner -digestalg SHA1" to work around verification issues. I tried that, and sure enough our multiply-signed jars now verify. So this appears to be a workaround for our issue.
据我所知,第三方签名似乎是 SHA1 签名,而我们使用的是默认签名 - SHA256 - 导致签名混合.当我使用-digestalg"开关强制 SHA1 时,我们有两个相同类型的签名,并且验证现在可以工作.因此,问题似乎是由具有不同算法的多个签名引起的?或者是我遗漏了其他一些因素.
From what I can gather, it appears that the third-party signature is a SHA1 signature, and we were signing with the default -- SHA256 -- resulting in a mixing of signatures. When I force SHA1 using the '-digestalg' switch, we have two signatures of the same type, and verification now works. So it seems the problem is caused by having multiple signatures with different algorithms? Or is there some other factor I'm missing.
问题:
- 为什么用SHA1+SHA256验证失败,用SHA1+SHA1验证?有技术原因吗?安全策略原因?为什么不能验证两个签名是否正确?
- 我们使用(继续使用)SHA1 而不是现在默认的 SHA256 有什么缺点吗?
推荐答案
与其自己重新对第三方 jar 进行签名,您还可以为每个引用相关 jar 文件的第三方签名者创建一个单独的 JNLP 文件,然后使用
Rather than re-signing the third party jars yourself, you can create a separate JNLP file for each third-party signer that refers to the relevant jar files, then have your main JNLP depend on these using the <extension> element. The restriction that all JAR files must be signed by the same signer only applies within one JNLP, each extension can have a different signer.
否则,您可以在添加自己的签名之前去除第三方签名(通过在没有 META-INF/*.{SF,DSA,RSA} 的情况下重新打包)
Failing that, you could strip out the third party signatures before adding your own (by repacking them without META-INF/*.{SF,DSA,RSA})
这篇关于是什么阻止 Java 使用多种签名算法验证签名的 jar的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
