Our product is halted at Java version 1.5.0_13 and we would like to upgrade. Our software deploys a large number of jars via Java Web Start; all of these jars must be signed. However, a couple of the jars do not contain class files, and starting with Java version 1.5.0_14, it appears that the jarsign utility chooses not to sign any jar that does not contain class files.
What can I do to force jarsign to sign these jars? Or what can I do to distribute these jars through Java Web Start without signing them? And is there anywhere where this change to jarsign with versions 1.5.0_14 and above is documented? I can't find it in the release notes.
I'm not able to verify that there is any problem. Can you look through and see what might be different in your environment? I'm running on Windows 7 RC.
Let's check the version:
C:\temp>java -version java version "1.5.0_14" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_14-b03) Java HotSpot(TM) Client VM (build 1.5.0_14-b03, mixed mode, sharing)
Let's see what'll be in our jar:
C:\temp>dir /s /b com C:\temp\com\rdc C:\temp\com\rdc\test C:\temp\com\rdc\test\logging.properties
Let's make the jar:
C:\temp>jar -cfv test-source.jar com/* added manifest adding: com/rdc/(in = 0) (out= 0)(stored 0%) adding: com/rdc/test/(in = 0) (out= 0)(stored 0%) adding: com/rdc/test/logging.properties(in = 13) (out= 15)(deflated -15%)
Let's sign the jar: I'm using a self-signed certificate.
C:\temp>jarsigner -signedjar test-dest.jar test-source.jar vinay Enter Passphrase for keystore: Warning: The signer certificate will expire within six months.
Let's see what's in our signed jar:
C:\temp>jar tvf test-dest.jar 155 Wed Jul 15 23:39:12 BST 2009 META-INF/MANIFEST.MF 276 Wed Jul 15 23:39:12 BST 2009 META-INF/VINAY.SF 1130 Wed Jul 15 23:39:12 BST 2009 META-INF/VINAY.DSA 0 Wed Jul 15 23:37:18 BST 2009 META-INF/ 0 Wed Jul 15 19:44:44 BST 2009 com/rdc/ 0 Wed Jul 15 19:44:58 BST 2009 com/rdc/test/ 13 Wed Jul 15 23:37:10 BST 2009 com/rdc/test/logging.properties
OK, it certainly appears to have been signed, and it has no classes. Let's look at the contents of MANIFEST.MF
:
Manifest-Version: 1.0 Created-By: 1.5.0_14 (Sun Microsystems Inc.) Name: com/rdc/test/logging.properties SHA1-Digest: Ob/S+a7TLh+akYGEFIDugM12S88=
And the contents of VINAY.SF
:
Signature-Version: 1.0 Created-By: 1.5.0_14 (Sun Microsystems Inc.) SHA1-Digest-Manifest-Main-Attributes: 4bEkze9MHmgfBoY+fnoS1V9bRPs= SHA1-Digest-Manifest: YB8QKIAQPjEYh8PkuGA5G8pW3tw= Name: com/rdc/test/logging.properties SHA1-Digest: qXCyrUvUALII7SBNEq4R7G8lVQQ=
Now, let's verify the jar:
C:\temp>jarsigner -verify -verbose test-dest.jar 155 Wed Jul 15 23:51:34 BST 2009 META-INF/MANIFEST.MF 276 Wed Jul 15 23:51:34 BST 2009 META-INF/VINAY.SF 1131 Wed Jul 15 23:51:34 BST 2009 META-INF/VINAY.DSA 0 Wed Jul 15 23:37:18 BST 2009 META-INF/ 0 Wed Jul 15 19:44:44 BST 2009 com/rdc/ 0 Wed Jul 15 19:44:58 BST 2009 com/rdc/test/ smk 13 Wed Jul 15 23:37:10 BST 2009 com/rdc/test/logging.properties s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. Warning: This jar contains entries whose signer certificate will expire within six months. Re-run with the -verbose and -certs options for more details.
On the face of it, everything appears to be in order. Can you check if your certificates have expired, or been revoked? Are you using self-signed certs or real certs? Or have I misunderstood what your problem is?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With