I've been banging my head against this for a few days and am completely stumped. Here's the rundown:
I can take any signed jar file from target/* and run 'jarsigner -verify' on it. This is what happens:
#java 6 on a VM
vagrant@test2:/vagrant/com.example.plugins.eclipse/target$ jarsigner -verify com.example.eclipse-0.1.3-SNAPSHOT.jar
jar verified.
Next:
#java 7 on a completely different vm
vagrant@test1:/vagrant$ jarsigner -verify com.example.eclipse-0.1.3-SNAPSHOT.jar
jar verified.
Warning:
This jar contains entries whose certificate chain is not validated.
Re-run with the -verbose and -certs options for more details.
I've take care not to use a machine with both Java6 and Java7 installed, so it's not this issue
I also don't believe it's algorithm based, as described in this issue, since I can sign the project using either Java 6 or Java 7 and it always verifies in Java6 and never verifies in Java7, regardless of which environment I signed the jars with.
Here's the output of keytool -list
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
root, Aug 11, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81
intermediate, Aug 11, 2013, trustedCertEntry,
I have to believe that this is a certificate chain issue because I am able to verify the jar using the following command on Java 7:
jarsigner -verify -keystore keystore com.example.eclipse-0.1.3-SNAPSHOT.jar
Obviously I can't have every user of my plugin using my keystore file, so that's not a solution. It does however, reinforce that I have a cert chain issue in Java 7. Thoughts?
The answer to your problem is you are using SUN as your keystore provider java 6 was released prior to oracle purchasing SUN and java 7 was released after and many of the Sun packages are now deprecated. You can verify this here.
Oracle has kept support for the deprecated SUN keystore provider but now requires that a warning be issued same as if you had used any deprecated feature.
There is a long detailed description written by Oracle on why you shouldn't use the SUN provider for security signing in the JCA Documentation on their website.
The only thing that will "fix" this is to change your keystore provider to and oracle acceptable one, you can find them in the same security documentation linked to above.
Hope that helps.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With