如何强制 jarsign 签署 jar 文件?

发布于 2024-07-23 10:25:04 字数 408 浏览 11 评论 0原文

我们的产品在 Java 版本 1.5.0_13 处停止,我们想要升级。 我们的软件通过Java Web Start部署大量的jar; 所有这些罐子都必须签名。 但是,有几个 jar 不包含类文件,并且从 Java 版本 1.5.0_14 开始,jarsign 实用程序似乎选择不对任何不包含类文件的 jar 进行签名。

我该怎么做才能强制 jarsign 对这些 jar 进行签名? 或者我可以做什么来通过 Java Web Start 分发这些 jar 而不对其进行签名? 是否有任何地方记录了 1.5.0_14 及以上版本对 jarsign 的更改? 我在发行说明中找不到它。

Our product is halted at Java version 1.5.0_13 and we would like to upgrade. Our software deploys a large number of jars via Java Web Start; all of these jars must be signed. However, a couple of the jars do not contain class files, and starting with Java version 1.5.0_14, it appears that the jarsign utility chooses not to sign any jar that does not contain class files.

What can I do to force jarsign to sign these jars? Or what can I do to distribute these jars through Java Web Start without signing them? And is there anywhere where this change to jarsign with versions 1.5.0_14 and above is documented? I can't find it in the release notes.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

蘸点软妹酱 2024-07-30 10:25:04

我无法验证是否存在任何问题。 您能仔细看看您的环境中可能有什么不同吗? 我在 Windows 7 RC 上运行。

让我们检查一下版本:

C:\temp>java -version
java version "1.5.0_14"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_14-b03)
Java HotSpot(TM) Client VM (build 1.5.0_14-b03, mixed mode, sharing)

让我们看看 jar 中会有什么:

C:\temp>dir /s /b com
C:\temp\com\rdc
C:\temp\com\rdc\test
C:\temp\com\rdc\test\logging.properties

让我们制作 jar:

C:\temp>jar -cfv test-source.jar com/*
added manifest
adding: com/rdc/(in = 0) (out= 0)(stored 0%)
adding: com/rdc/test/(in = 0) (out= 0)(stored 0%)
adding: com/rdc/test/logging.properties(in = 13) (out= 15)(deflated -15%)

让我们对 jar 进行签名: 我正在使用自签名证书。

C:\temp>jarsigner -signedjar test-dest.jar test-source.jar vinay
Enter Passphrase for keystore:

Warning: The signer certificate will expire within six months.

让我们看看我们签名的 jar 中有什么:

C:\temp>jar tvf test-dest.jar
   155 Wed Jul 15 23:39:12 BST 2009 META-INF/MANIFEST.MF
   276 Wed Jul 15 23:39:12 BST 2009 META-INF/VINAY.SF
  1130 Wed Jul 15 23:39:12 BST 2009 META-INF/VINAY.DSA
     0 Wed Jul 15 23:37:18 BST 2009 META-INF/
     0 Wed Jul 15 19:44:44 BST 2009 com/rdc/
     0 Wed Jul 15 19:44:58 BST 2009 com/rdc/test/
    13 Wed Jul 15 23:37:10 BST 2009 com/rdc/test/logging.properties

好的,它看起来确实已经被签名了,而且它没有类。 让我们看看 MANIFEST.MF 的内容:

Manifest-Version: 1.0
Created-By: 1.5.0_14 (Sun Microsystems Inc.)

Name: com/rdc/test/logging.properties
SHA1-Digest: Ob/S+a7TLh+akYGEFIDugM12S88=

以及 VINAY.SF 的内容:

Signature-Version: 1.0
Created-By: 1.5.0_14 (Sun Microsystems Inc.)
SHA1-Digest-Manifest-Main-Attributes: 4bEkze9MHmgfBoY+fnoS1V9bRPs=
SHA1-Digest-Manifest: YB8QKIAQPjEYh8PkuGA5G8pW3tw=

Name: com/rdc/test/logging.properties
SHA1-Digest: qXCyrUvUALII7SBNEq4R7G8lVQQ=

现在,让我们验证一下 jar:

C:\temp>jarsigner -verify -verbose test-dest.jar

         155 Wed Jul 15 23:51:34 BST 2009 META-INF/MANIFEST.MF
         276 Wed Jul 15 23:51:34 BST 2009 META-INF/VINAY.SF
        1131 Wed Jul 15 23:51:34 BST 2009 META-INF/VINAY.DSA
           0 Wed Jul 15 23:37:18 BST 2009 META-INF/
           0 Wed Jul 15 19:44:44 BST 2009 com/rdc/
           0 Wed Jul 15 19:44:58 BST 2009 com/rdc/test/
smk       13 Wed Jul 15 23:37:10 BST 2009 com/rdc/test/logging.properties

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Warning: This jar contains entries whose signer certificate will expire within
six months. Re-run with the -verbose and -certs options for more details.

从表面上看,一切似乎都在命令。 您可以检查您的证书是否已过期或被吊销吗? 您使用的是自签名证书还是真实证书? 或者我误解了你的问题是什么?

I'm not able to verify that there is any problem. Can you look through and see what might be different in your environment? I'm running on Windows 7 RC.

Let's check the version:

C:\temp>java -version
java version "1.5.0_14"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_14-b03)
Java HotSpot(TM) Client VM (build 1.5.0_14-b03, mixed mode, sharing)

Let's see what'll be in our jar:

C:\temp>dir /s /b com
C:\temp\com\rdc
C:\temp\com\rdc\test
C:\temp\com\rdc\test\logging.properties

Let's make the jar:

C:\temp>jar -cfv test-source.jar com/*
added manifest
adding: com/rdc/(in = 0) (out= 0)(stored 0%)
adding: com/rdc/test/(in = 0) (out= 0)(stored 0%)
adding: com/rdc/test/logging.properties(in = 13) (out= 15)(deflated -15%)

Let's sign the jar: I'm using a self-signed certificate.

C:\temp>jarsigner -signedjar test-dest.jar test-source.jar vinay
Enter Passphrase for keystore:

Warning: The signer certificate will expire within six months.

Let's see what's in our signed jar:

C:\temp>jar tvf test-dest.jar
   155 Wed Jul 15 23:39:12 BST 2009 META-INF/MANIFEST.MF
   276 Wed Jul 15 23:39:12 BST 2009 META-INF/VINAY.SF
  1130 Wed Jul 15 23:39:12 BST 2009 META-INF/VINAY.DSA
     0 Wed Jul 15 23:37:18 BST 2009 META-INF/
     0 Wed Jul 15 19:44:44 BST 2009 com/rdc/
     0 Wed Jul 15 19:44:58 BST 2009 com/rdc/test/
    13 Wed Jul 15 23:37:10 BST 2009 com/rdc/test/logging.properties

OK, it certainly appears to have been signed, and it has no classes. Let's look at the contents of MANIFEST.MF:

Manifest-Version: 1.0
Created-By: 1.5.0_14 (Sun Microsystems Inc.)

Name: com/rdc/test/logging.properties
SHA1-Digest: Ob/S+a7TLh+akYGEFIDugM12S88=

And the contents of VINAY.SF:

Signature-Version: 1.0
Created-By: 1.5.0_14 (Sun Microsystems Inc.)
SHA1-Digest-Manifest-Main-Attributes: 4bEkze9MHmgfBoY+fnoS1V9bRPs=
SHA1-Digest-Manifest: YB8QKIAQPjEYh8PkuGA5G8pW3tw=

Name: com/rdc/test/logging.properties
SHA1-Digest: qXCyrUvUALII7SBNEq4R7G8lVQQ=

Now, let's verify the jar:

C:\temp>jarsigner -verify -verbose test-dest.jar

         155 Wed Jul 15 23:51:34 BST 2009 META-INF/MANIFEST.MF
         276 Wed Jul 15 23:51:34 BST 2009 META-INF/VINAY.SF
        1131 Wed Jul 15 23:51:34 BST 2009 META-INF/VINAY.DSA
           0 Wed Jul 15 23:37:18 BST 2009 META-INF/
           0 Wed Jul 15 19:44:44 BST 2009 com/rdc/
           0 Wed Jul 15 19:44:58 BST 2009 com/rdc/test/
smk       13 Wed Jul 15 23:37:10 BST 2009 com/rdc/test/logging.properties

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Warning: This jar contains entries whose signer certificate will expire within
six months. Re-run with the -verbose and -certs options for more details.

On the face of it, everything appears to be in order. Can you check if your certificates have expired, or been revoked? Are you using self-signed certs or real certs? Or have I misunderstood what your problem is?

晚雾 2024-07-30 10:25:04

对于任何搜索此问题的人,我们确定它只影响 Java 1.5 的某些更高版本,我相信是从 1.5.0_14 开始的版本。 它似乎在最新版本的 1.5 中已修复,并且在 1.6 中肯定已修复。

For anyone searching on this issue, we determined it only affects certain later versions of Java 1.5, those from 1.5.0_14 onward, I believe. It appears to be fixed in the latest versions of 1.5, and is definitely fixed in 1.6.

内心荒芜 2024-07-30 10:25:04

如果需要,您可以放入虚拟类文件。 可能令人厌恶,但也许是必要的。

You can put dummy class files in if you need to. Probably distasteful but maybe necessary.

红ご颜醉 2024-07-30 10:25:04

顺便说一句,我尝试了与 Vinay 相同的操作,但使用了 JDK 1.5.0_17 jarsigner 和正确的 Verisign 证书,并得到了相同的结果。 Jarsigner 工作了,并且使用 jarsigner -verify 验证了 jar。

BTW, I tried the same thing as Vinay, but with the JDK 1.5.0_17 jarsigner, and a proper Verisign certificate, and got the same results. Jarsigner worked, and the jar verified using jarsigner -verify.

栀子花开つ 2024-07-30 10:25:04

添加一下:我正在使用 Java Web Start,并且我有一个仅包含图像的 jar。
使用 JDK 1.6_05(也包括 07、10)和 Ant 一代,它的签名没有问题(使用自签名证书)。
因此,就像其他人所描述的那样,它似乎没有链接到包含 .class 文件的 jar。

Adding about it : I'm using Java Web Start, and I have a jar which contains only images.
With a JDK 1.6_05(07, 10, too), and an Ant generation, it is signed without a problem (with a self-signed cert).
So, like others described, it doesn't seem to be linked to the jar containing .class files or not.

蝶…霜飞 2024-07-30 10:25:04

虽然可能性不大,但 Ant SignJar 任务 或许能够说服 jarsign做正确的事。 有很多选择可能会打破平衡。

It's a long shot, but the Ant SignJar task might be able to convince jarsign to do the right thing. There's a bunch of options there that might tip the balance.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文