使用可信证书为 JWS 部署签署 jar 文件 [英] Signing a jar file with trusted certificate for JWS deployment
问题描述
我开发了一个开源程序 WPCleaner,它通过 Java Web Start 分发.当前版本可在 http://site4145.mutu.sivit.org/WikiCleaner/WikiCleaner 获得.jnlp
I've developed an open source program, WPCleaner, which is distributed through Java Web Start. Current version is available at http://site4145.mutu.sivit.org/WikiCleaner/WikiCleaner.jnlp
随着 Java 的最新更新,当您需要应用程序具有一些权限(写入首选项、访问其他网站,...)时,通过 Java Web Start 部署 Java 应用程序变得越来越困难
With the recent updates in Java, it becomes more and more difficult to deploy Java applications through Java Web Start when you need the application to have a few permissions (writing in the preferences, accessing other web sites, ...)
我的应用程序是自签名的,以前没问题,但新的更新要求用户每次运行应用程序时都接受它,如果他们愿意的话,不仅仅是一次.因此,我决定使用受信任的证书来签署我的应用程序.
My application was self-signed, which was ok before but new updates require users to accept the application every time they run it, not just once and for all if they wish. So, I decided to use a trusted certificate for signing my application.
我从 Certum 获得了一个(显然,它们对开源开发人员免费),遵循以下讨论:开源项目的代码签名证书?
I got one from Certum (apparently, they're free for open source developers), following this discussion: Code signing certificate for open-source projects?
我生成了一个新的 jar 文件,用这个证书签名(jar 文件可在 http://site4145.mutu.sivit.org/WikiCleaner/WikipediaCleanerTest.jar),但我仍然有问题:当我通过 JWS 启动应用程序时,Java 仍然显示一个警告窗口,不让我信任该应用程序一劳永逸.Editor 仍然显示为 UNKNOWN,但是当我查看消息的详细信息时,正在使用的是我从 Centrum 获得的新证书.
I've generated a new jar file, signed with this certificate (jar file available at http://site4145.mutu.sivit.org/WikiCleaner/WikipediaCleanerTest.jar), but I still have problems: when I start the application through JWS, Java still displays a warning windows not letting me trust the application once and for all. Editor is still displayed as UNKNOWN, but when I look in the details of the message, it's my new certificate from Centrum that's being used.
有人知道我做错了什么吗?我认为拥有来自受信任 CA(Centrum 似乎在 Java cacerts 中)的证书将允许用户一劳永逸地接受该证书.
Does anyone have an idea on what I'm doing wrong ? I thought that having a certificate from a trusted CA (Centrum seems to be in Java cacerts) would allow users to accept the certificate once and for all.
谢谢
PS:当我运行 jarsigner -verify 时,我收到以下警告此 jar 包含未验证证书链的条目."
PS: When I run jarsigner -verify, I get the following warning
"This jar contains entries whose certificate chain is not validated."
推荐答案
我想我终于按照这个程序做到了:
I think I finally managed to do it following this procedure:
- 通过其网站界面在 Chrome 中安装了 Certum 提供的证书
- 将私钥从 Chrome 导出为 .pfx(设置、管理证书、导出、导出私钥、PKCS#12、...)
- 使用 KeyTool GUI(keytools 的 Java 前端 GUI)创建完整的 p12:导入 Certum 根证书作为可信证书,导入中间证书作为可信证书,导入我的 .pfx 作为密钥对
- 用这个 p12 在 jar 上签名
似乎对我有用,我正在等待其他用户的反馈以确保它也适用于他们.
Seems to work for me, I'm waiting for other users feedback to be sure that it works for them also.
我再次尝试从 Chrome 导出证书,我看到有一个选项可以在导出中包含证书链.这样做时,我什至不需要之后使用 KeyTool GUI.我已经重新部署了使用这个新 p12 签名的测试版本:
I tried again to export the certificate from Chrome, and I saw that there's an option to include the certificate chain in the export. When doing this, I don't even need to use the KeyTool GUI afterwards. I've redeployed the test version signed with this new p12 :
- 通过其网站界面在 Chrome 中安装了 Certum 提供的证书
- 从 Chrome 导出私钥为 .pfx(设置、管理证书、导出、导出私钥、PKCS#12 + 包括证书链,...)
- 用这个 p12 在 jar 上签名
这篇关于使用可信证书为 JWS 部署签署 jar 文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
