Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I force jarsign to sign jarfiles?

Our product is halted at Java version 1.5.0_13 and we would like to upgrade. Our software deploys a large number of jars via Java Web Start; all of these jars must be signed. However, a couple of the jars do not contain class files, and starting with Java version 1.5.0_14, it appears that the jarsign utility chooses not to sign any jar that does not contain class files.

What can I do to force jarsign to sign these jars? Or what can I do to distribute these jars through Java Web Start without signing them? And is there anywhere where this change to jarsign with versions 1.5.0_14 and above is documented? I can't find it in the release notes.

like image 506
skiphoppy Avatar asked Dec 08 '22 07:12

skiphoppy


1 Answers

I'm not able to verify that there is any problem. Can you look through and see what might be different in your environment? I'm running on Windows 7 RC.

Let's check the version:

C:\temp>java -version
java version "1.5.0_14"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_14-b03)
Java HotSpot(TM) Client VM (build 1.5.0_14-b03, mixed mode, sharing)

Let's see what'll be in our jar:

C:\temp>dir /s /b com
C:\temp\com\rdc
C:\temp\com\rdc\test
C:\temp\com\rdc\test\logging.properties

Let's make the jar:

C:\temp>jar -cfv test-source.jar com/*
added manifest
adding: com/rdc/(in = 0) (out= 0)(stored 0%)
adding: com/rdc/test/(in = 0) (out= 0)(stored 0%)
adding: com/rdc/test/logging.properties(in = 13) (out= 15)(deflated -15%)

Let's sign the jar: I'm using a self-signed certificate.

C:\temp>jarsigner -signedjar test-dest.jar test-source.jar vinay
Enter Passphrase for keystore:

Warning: The signer certificate will expire within six months.

Let's see what's in our signed jar:

C:\temp>jar tvf test-dest.jar
   155 Wed Jul 15 23:39:12 BST 2009 META-INF/MANIFEST.MF
   276 Wed Jul 15 23:39:12 BST 2009 META-INF/VINAY.SF
  1130 Wed Jul 15 23:39:12 BST 2009 META-INF/VINAY.DSA
     0 Wed Jul 15 23:37:18 BST 2009 META-INF/
     0 Wed Jul 15 19:44:44 BST 2009 com/rdc/
     0 Wed Jul 15 19:44:58 BST 2009 com/rdc/test/
    13 Wed Jul 15 23:37:10 BST 2009 com/rdc/test/logging.properties

OK, it certainly appears to have been signed, and it has no classes. Let's look at the contents of MANIFEST.MF:

Manifest-Version: 1.0
Created-By: 1.5.0_14 (Sun Microsystems Inc.)

Name: com/rdc/test/logging.properties
SHA1-Digest: Ob/S+a7TLh+akYGEFIDugM12S88=

And the contents of VINAY.SF:

Signature-Version: 1.0
Created-By: 1.5.0_14 (Sun Microsystems Inc.)
SHA1-Digest-Manifest-Main-Attributes: 4bEkze9MHmgfBoY+fnoS1V9bRPs=
SHA1-Digest-Manifest: YB8QKIAQPjEYh8PkuGA5G8pW3tw=

Name: com/rdc/test/logging.properties
SHA1-Digest: qXCyrUvUALII7SBNEq4R7G8lVQQ=

Now, let's verify the jar:

C:\temp>jarsigner -verify -verbose test-dest.jar

         155 Wed Jul 15 23:51:34 BST 2009 META-INF/MANIFEST.MF
         276 Wed Jul 15 23:51:34 BST 2009 META-INF/VINAY.SF
        1131 Wed Jul 15 23:51:34 BST 2009 META-INF/VINAY.DSA
           0 Wed Jul 15 23:37:18 BST 2009 META-INF/
           0 Wed Jul 15 19:44:44 BST 2009 com/rdc/
           0 Wed Jul 15 19:44:58 BST 2009 com/rdc/test/
smk       13 Wed Jul 15 23:37:10 BST 2009 com/rdc/test/logging.properties

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Warning: This jar contains entries whose signer certificate will expire within
six months. Re-run with the -verbose and -certs options for more details.

On the face of it, everything appears to be in order. Can you check if your certificates have expired, or been revoked? Are you using self-signed certs or real certs? Or have I misunderstood what your problem is?

like image 131
Vinay Sajip Avatar answered Dec 20 '22 05:12

Vinay Sajip