使用受信任的证书签署JWS部署的jar文件 [英] Signing a jar file with trusted certificate for JWS deployment
问题描述
我开发了一个开源程序WPCleaner,它是通过Java Web Start发布的。当前版本可从 http://site4145.mutu.sivit.org/WikiCleaner/WikiCleaner.jnlp 获取
I've developed an open source program, WPCleaner, which is distributed through Java Web Start. Current version is available at http://site4145.mutu.sivit.org/WikiCleaner/WikiCleaner.jnlp
随着Java中的最新更新,通过Java Web Start部署Java应用程序变得越来越困难,当您需要应用程序具有几个权限(在偏好设置,访问其他网站,...)
With the recent updates in Java, it becomes more and more difficult to deploy Java applications through Java Web Start when you need the application to have a few permissions (writing in the preferences, accessing other web sites, ...)
我的应用程序是自签名的,但之前确定,但新的更新要求用户每次运行时接受应用程序它,不只是一次,如果他们愿意。因此,我决定使用受信任的证书签署我的申请。
My application was self-signed, which was ok before but new updates require users to accept the application every time they run it, not just once and for all if they wish. So, I decided to use a trusted certificate for signing my application.
我有一个来自Certum(显然,他们是免费的开源开发人员) :开放源代码项目的代码签名证书
I got one from Certum (apparently, they're free for open source developers), following this discussion: Code signing certificate for open-source projects?
我生成了一个新的jar文件,使用此证书签名(jar文件可从 http://site4145.mutu.sivit.org/WikiCleaner/WikipediaCleanerTest.jar ),但我仍然有问题:当我通过JWS启动应用程序,Java仍然显示一个警告窗口不让我信任应用程序一劳永逸。编辑器仍显示为UNKNOWN,但是当我查看消息的详细信息时,它是我使用的Centrum的新证书。
I've generated a new jar file, signed with this certificate (jar file available at http://site4145.mutu.sivit.org/WikiCleaner/WikipediaCleanerTest.jar), but I still have problems: when I start the application through JWS, Java still displays a warning windows not letting me trust the application once and for all. Editor is still displayed as UNKNOWN, but when I look in the details of the message, it's my new certificate from Centrum that's being used.
有没有人知道什么我做错了?
我认为从可信任的CA(Centrum似乎是在Java cacerts)的证书将允许用户一次接受证书。
Does anyone have an idea on what I'm doing wrong ? I thought that having a certificate from a trusted CA (Centrum seems to be in Java cacerts) would allow users to accept the certificate once and for all.
感谢
PS:当我运行 jarsigner -verify 时,得到以下警告
包含其证书链未验证的条目。
PS: When I run jarsigner -verify, I get the following warning
"This jar contains entries whose certificate chain is not validated."
推荐答案
我认为我终于可以按照以下步骤进行:
I think I finally managed to do it following this procedure:
- 通过Chrome网站界面在Chrome中安装Certum提供的证书
- 将私钥导出为。 pbx从Chrome(设置,管理证书,导出,导出私钥,PKCS#12,...)
- 使用KeyTool GUI(java前端GUI的keytools)创建一个完整的p12 :导入Certum根证书作为受信任的证书,导入的中间证书作为受信任的证书,将我的.pfx作为密钥对导入
- 使用此p12签名jar
- Installed the certificate provided by Certum in Chrome through their web site interface
- Exported the private key as a .pfx from Chrome (Settings, Manage certificates, Export, Export the private key, PKCS#12, ...)
- Used KeyTool GUI (java fronted GUI for keytools) to create a complete p12: imported Certum root certificate as a trusted certificate, imported intermediate certificates as trusted certificates, imported my .pfx as a key pair
- Signed the jar with this p12
似乎适合我,我等待其他用户的反馈,以确保它也适用于他们。
Seems to work for me, I'm waiting for other users feedback to be sure that it works for them also.
编辑:我再次尝试从Chrome导出证书,我看到有一个选项可以在导出中包含证书链。当这样做,我甚至不需要使用KeyTool GUI之后。我已重新部署使用此新p12签名的测试版本:
I tried again to export the certificate from Chrome, and I saw that there's an option to include the certificate chain in the export. When doing this, I don't even need to use the KeyTool GUI afterwards. I've redeployed the test version signed with this new p12 :
- 通过Chrome网站界面安装Certum在Chrome中提供的证书
-
- 从Chrome导出私钥作为.pfx(设置,管理证书,导出,导出私钥,PKCS#12 +包含证书链,...)
- 使用此p12签署了jar
这篇关于使用受信任的证书签署JWS部署的jar文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
