签署 Java 桌面应用程序 [英] Signing Java desktop application

问题描述

我使用 Swing (myProg.jar) 制作了一个 Java 桌面应用程序.我目前将我的应用程序打包为 .app 供我的 Mac 用户使用，我使用 InnoSetup 为我的 Windows 用户创建一个 setup.exe 文件.我还提供了一个 myProg.exe 包装器来启动 myProg.jar.

I made a Java desktop application using Swing (myProg.jar). I currently package my application as .app for my Mac users, and I use InnoSetup to make a setup.exe file for my Windows users. I also provide a myProg.exe wrapper to launch myProg.jar.

现在，为了从我的用户计算机上摆脱 SmartScreen 和其他保护，我认为我需要对我的应用程序进行签名.但我读得越多，我就越觉得它很混乱.

Now, to get rid of SmartScreen and other protections from my users computers, I think that I need to sign my application. But the more I read about it, the more confusing it seems to me.

谁能帮我澄清以下几点?

Can anyone clarify some of the following points for me?

1) 我到底需要什么样的证书?有没有办法让它免费或至少便宜?

1) What kind of certificate do I need exactly? Is there anyway to make it free or at least cheap?

2) 我需要准确签署什么?我应该签署 myProg.jar 文件，即 .app 文件吗?安装程序.exe?myProg.exe 包装器?都是吗?

2) What do I need to sign exactly? Should I sign the myProg.jar file, the .app file? The setup.exe? The myProg.exe wrapper? All of them?

3) 已解决 - 当我更新我的程序并将 myProg.jar 替换为新版本的 myProg.jar 时，它会如何工作?

3) Solved - How will it work when I will update my program and replace myProg.jar by a new version of myProg.jar?

非常感谢！

推荐答案

您的 JDK 应该包含名为 jarsigner 的工具.此工具可让您免费签署 jar 文件.

Your JDK should include tool called jarsigner. This tool lets you sign jar files for free.

1) 您用于签名的密钥需要在 java 密钥库中(默认为 .keystore) 您可以将密钥从 .der 格式导入到您的密钥库中.

1) The key you are using for signature need to be in java keystore (default .keystore) You can import keys to your keystore from .der format.

2) 您只能对 .jar 文件进行签名

2) You can only sign .jar files

3) 它只会用新签名的文件覆盖旧文件.就像简单的复制一样.不会执行签名验证，除非您的安装人员这样做.

3) It will just overwrite old file with new signed one. Just like simple copy. No signature verification will be performed, unless your installer does so.

此外，并非每个签名都相同.例如，如果您正在尝试注册加密提供程序，则需要由 Oracle 签名的签名才能在 Oracle JVM 上运行它.看:https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step6

Furthermore not every signature is the same. If you are for example trying to register crypto provider, then the signature signed by Oracle will be necessary to run it on Oracle JVM. see: https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html#Step6

示例:

生成密钥:

keytool -genkey -keyalg RSA -alias key_alias -keystore mystore.keystore -keysize 2048

签署jar:

jarsigner -keystore mystore.keystore -tsa http://tsa.safecreative.org MyJARFile.jar key_alias_from_keystore

验证签名:

jarsigner -verify jar-file

我不确定这是否能解决我们的问题.总的来说，您需要做的是 sign os 可执行文件.在这种情况下 .exe 和 .app

I'm not sure this will solve our problem. Overall what you need to do is the sign os executable. In this case .exe and .app

一种可能的解决方案是对应用程序包装器的可执行文件进行签名(在 Windows .exe 的情况下).为此，请参阅:https://msdn.microsoft.com/en-我们/图书馆/aa387764.aspx

A possible solution is to sign the executable of your app wrapper(in case of windows .exe). To do so, see: https://msdn.microsoft.com/en-us/library/aa387764.aspx

如果您使用的是基于 Unix 的系统，我会尝试运行 Mono 的签名工具.请参阅有关signcode"的单声道文档(我无法提供链接，代表不够)

In you are using Unix based system I would try to run Mono's sign tool. see mono doc on "signcode" (I can not provide link, not enough rep)

这应该消除未知发布者"消息，但除非您可以让操作系统开发人员签署您的证书，否则将向用户显示一些消息.

This should get rid of "Unknown Publisher" message, but unless you can get OS developer to sign your certificate some message will be shown to the user.

这篇关于签署 Java 桌面应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！