Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I sign a Java applet using a certificate in my Mac keychain?

I have a self-signed root certificate with just the code signing extension (no other extensions) in my Mac keychain; I use it to sign all code coming out of ∞labs using Apple's codesign tool and it works great.

I was looking to expand myself a little and doing some Java development. I know Apple provides a KeyStore implementation that reads from the Keychain, and I can list all certificates I have in the 'chain with:

keytool -list -provider com.apple.crypto.provider.Apple -storetype KeychainStore -keystore NONE -v

However, whenever I try to use jarsigner to sign a simple test JAR file, I end up with:

$ jarsigner -keystore NONE -storetype KeychainStore -providerName Apple a.jar infinitelabs_codesigning_2
Enter Passphrase for keystore: <omitted>
jarsigner: Certificate chain not found for: infinitelabs_codesigning_2.  infinitelabs_codesigning_2 must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

What am I doing wrong?

(The certificate was created following Apple's instructions for obtaining a signing identity.)

like image 594
millenomi Avatar asked Sep 23 '08 21:09

millenomi


People also ask

How do I get my Mac to trust a certificate?

In the Keychain Access app on your Mac, select a keychain from one of the keychains lists, then double-click a certificate. Next to Trust, click the arrow to display the trust policies for the certificate. To override the trust policies, choose new trust settings from the pop-up menus.

What are certificates on Mac keychain?

In macOS, certificates are part of your digital identity and are stored in your keychain. Keychain Access lets you manage your certificates and keychains. Certificates are issued by trusted organizations, such as VeriSign, Inc., or RSA Data Security, Inc.


1 Answers

I think that your keystore entry alias must be wrong. Are you using the alias name of a keystore object with an entry type of "keyEntry"? The same command works perfectly for me.

From the jarsigner man page:

When using jarsigner to sign a JAR file, you must specify the alias for the keystore entry containing the private key needed to generate the signature.

like image 139
bd808 Avatar answered Oct 11 '22 18:10

bd808