jarsigner -verify在Java 6中有效,但在Java 7中无效 [英] jarsigner -verify works in Java 6 but not Java 7
问题描述
几天来,我一直在head撞我的头,完全陷入了困境.这是摘要:
I've been banging my head against this for a few days and am completely stumped. Here's the rundown:
- 我有一个使用Tycho通过Maven 3构建的Eclipse插件项目
- 在Maven中,我已经设置了maven-jarsigner-plugin以使用我的密钥库对jar进行签名(有关密钥库的详细信息,请参见下文)
- 我有一个Thawte在我的密钥库中签名的代码签名证书
我可以从target/*获取任何签名的jar文件,然后在其上运行'jarsigner -verify'.这就是发生的情况:
I can take any signed jar file from target/* and run 'jarsigner -verify' on it. This is what happens:
#java 6 on a VM
vagrant@test2:/vagrant/com.example.plugins.eclipse/target$ jarsigner -verify com.example.eclipse-0.1.3-SNAPSHOT.jar
jar verified.
下一步:
#java 7 on a completely different vm
vagrant@test1:/vagrant$ jarsigner -verify com.example.eclipse-0.1.3-SNAPSHOT.jar
jar verified.
Warning:
This jar contains entries whose certificate chain is not validated.
Re-run with the -verbose and -certs options for more details.
我很小心不要使用同时安装了Java6和Java7的计算机,因此它不是
I've take care not to use a machine with both Java6 and Java7 installed, so it's not this issue
I also don't believe it's algorithm based, as described in this issue, since I can sign the project using either Java 6 or Java 7 and it always verifies in Java6 and never verifies in Java7, regardless of which environment I signed the jars with.
这是 keytool -list
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
root, Aug 11, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81
intermediate, Aug 11, 2013, trustedCertEntry,
我必须相信这是证书链问题,因为我能够在Java 7上使用以下命令来验证jar:
I have to believe that this is a certificate chain issue because I am able to verify the jar using the following command on Java 7:
jarsigner -verify -keystore keystore com.example.eclipse-0.1.3-SNAPSHOT.jar
很明显,不能让我的插件的每个用户都使用我的密钥库文件,所以这不是解决方案.但是,它确实增强了我在Java 7中存在证书链问题的想法.
Obviously I can't have every user of my plugin using my keystore file, so that's not a solution. It does however, reinforce that I have a cert chain issue in Java 7. Thoughts?
推荐答案
几个月后,我碰巧想出了自己问题的答案.对于其他遇到相同问题的人,这是我的工作:
Months later I happened to figure out the answer to my own question. For anyone else with the same issue, here is what I did:
-
将现有的私钥和CA签名的证书转换为pkcs12格式(这是必需的,因为Java的keytool不允许直接导入这些项目).这可以通过一个openssl命令来完成:
Convert your existing private key and the CA signed cert into a pkcs12 format (this is required since Java's keytool doesn't allow the direct importation of these items). This can be accomplished in a single openssl command:
openssl pkcs12 -export -name signing -in signing.cert -inkey myPrivateKey.key -out keystore.p12
其中signing是我的pkcs12密钥库的名称,signing.cert是我的CA提供的已签名证书,(显然)myPrivateKey.key是用于签署证书请求的私钥.
Where signing is the name of my pkcs12 keystore, signing.cert is my CA supplied signed cert, and (obviously) myPrivateKey.key is my private key that was used to sign the Cert Request.
将此新创建的密钥库导入到Java密钥库中:
Import this newly created keystore into a Java keystore:
keytool -importkeystore -destkeystore keystore -srckeystore keystore.p12 -srcstoretype pkcs12 -alias signing
将您的CA的Java证书导入密钥库.我不确定这是什么魔术,但是没有它,证书链就不会被遵循(即使手动添加中间证书时也是如此).通常通过您的签名证书到达的电子邮件来提供此证书.出于我们的目的,它称为signing.pkcs7.
Import your CA's Java cert into the keystore. I'm not exactly sure what magic this does but without it the cert chain isn't followed (even when manually adding intermediate certs). This cert is usually provided via the email where your signing cert arrived in. For our purposes it's called signing.pkcs7.
keytool -importcert -file signing.pkcs7 -keystore keystore -v -alias signing
您必须输入创建Java密钥库时使用的密钥库密码.
You'll have to enter the keystore password you used when creating the Java keystore.
在构建过程中使用maven-jarsigner-plugin(或所需的任何自动化方法)对您的项目进行签名.
Use the maven-jarsigner-plugin (or whatever automation is required) to sign your projects during build.
这篇关于jarsigner -verify在Java 6中有效,但在Java 7中无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
