jarsigner -verify works in Java 6 but not Java 7

Question

I've been banging my head against this for a few days and am completely stumped. Here's the rundown:

1. I've got an Eclipse plugin project using Tycho to build via Maven 3
2. Within Maven I've got the maven-jarsigner-plugin set up to sign jars using my keystore (see below for keystore details)
3. I've got a code signing cert that's been signed by Thawte in my keystore

I can take any signed jar file from target/* and run 'jarsigner -verify' on it. This is what happens:

#java 6 on a VM
vagrant@test2:/vagrant/com.example.plugins.eclipse/target$ jarsigner -verify com.example.eclipse-0.1.3-SNAPSHOT.jar
jar verified.

Next:

#java 7 on a completely different vm
vagrant@test1:/vagrant$ jarsigner -verify com.example.eclipse-0.1.3-SNAPSHOT.jar
jar verified.

Warning:
This jar contains entries whose certificate chain is not validated.

Re-run with the -verbose and -certs options for more details.

I've take care not to use a machine with both Java6 and Java7 installed, so it's not this issue

I also don't believe it's algorithm based, as described in this issue, since I can sign the project using either Java 6 or Java 7 and it always verifies in Java6 and never verifies in Java7, regardless of which environment I signed the jars with.

Here's the output of keytool -list

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

root, Aug 11, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81
intermediate, Aug 11, 2013, trustedCertEntry,

I have to believe that this is a certificate chain issue because I am able to verify the jar using the following command on Java 7:

jarsigner -verify -keystore keystore com.example.eclipse-0.1.3-SNAPSHOT.jar

Obviously I can't have every user of my plugin using my keystore file, so that's not a solution. It does however, reinforce that I have a cert chain issue in Java 7. Thoughts?

Answer 1

The answer to your problem is you are using SUN as your keystore provider java 6 was released prior to oracle purchasing SUN and java 7 was released after and many of the Sun packages are now deprecated. You can verify this here.

Oracle has kept support for the deprecated SUN keystore provider but now requires that a warning be issued same as if you had used any deprecated feature.

There is a long detailed description written by Oracle on why you shouldn't use the SUN provider for security signing in the JCA Documentation on their website.

The only thing that will "fix" this is to change your keystore provider to and oracle acceptable one, you can find them in the same security documentation linked to above.

Hope that helps.