How do I sign a Java applet using a certificate in my Mac keychain?

Question

I have a self-signed root certificate with just the code signing extension (no other extensions) in my Mac keychain; I use it to sign all code coming out of ∞labs using Apple's codesign tool and it works great.

I was looking to expand myself a little and doing some Java development. I know Apple provides a KeyStore implementation that reads from the Keychain, and I can list all certificates I have in the 'chain with:

keytool -list -provider com.apple.crypto.provider.Apple -storetype KeychainStore -keystore NONE -v

However, whenever I try to use jarsigner to sign a simple test JAR file, I end up with:

$ jarsigner -keystore NONE -storetype KeychainStore -providerName Apple a.jar infinitelabs_codesigning_2
Enter Passphrase for keystore: <omitted>
jarsigner: Certificate chain not found for: infinitelabs_codesigning_2.  infinitelabs_codesigning_2 must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

What am I doing wrong?

(The certificate was created following Apple's instructions for obtaining a signing identity.)

Answer 1

I think that your keystore entry alias must be wrong. Are you using the alias name of a keystore object with an entry type of "keyEntry"? The same command works perfectly for me.

From the jarsigner man page:

When using jarsigner to sign a JAR file, you must specify the alias for the keystore entry containing the private key needed to generate the signature.