如何强制 jarsign 签署 jar 文件?
我们的产品在 Java 版本 1.5.0_13 处停止,我们想要升级。 我们的软件通过Java Web Start部署大量的jar; 所有这些罐子都必须签名。 但是,有几个 jar 不包含类文件,并且从 Java 版本 1.5.0_14 开始,jarsign 实用程序似乎选择不对任何不包含类文件的 jar 进行签名。
我该怎么做才能强制 jarsign 对这些 jar 进行签名? 或者我可以做什么来通过 Java Web Start 分发这些 jar 而不对其进行签名? 是否有任何地方记录了 1.5.0_14 及以上版本对 jarsign 的更改? 我在发行说明中找不到它。
Our product is halted at Java version 1.5.0_13 and we would like to upgrade. Our software deploys a large number of jars via Java Web Start; all of these jars must be signed. However, a couple of the jars do not contain class files, and starting with Java version 1.5.0_14, it appears that the jarsign utility chooses not to sign any jar that does not contain class files.
What can I do to force jarsign to sign these jars? Or what can I do to distribute these jars through Java Web Start without signing them? And is there anywhere where this change to jarsign with versions 1.5.0_14 and above is documented? I can't find it in the release notes.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
我无法验证是否存在任何问题。 您能仔细看看您的环境中可能有什么不同吗? 我在 Windows 7 RC 上运行。
让我们检查一下版本:
让我们看看 jar 中会有什么:
让我们制作 jar:
让我们对 jar 进行签名: 我正在使用自签名证书。
让我们看看我们签名的 jar 中有什么:
C:\temp>jar tvf test-dest.jar 155 Wed Jul 15 23:39:12 BST 2009 META-INF/MANIFEST.MF 276 Wed Jul 15 23:39:12 BST 2009 META-INF/VINAY.SF 1130 Wed Jul 15 23:39:12 BST 2009 META-INF/VINAY.DSA 0 Wed Jul 15 23:37:18 BST 2009 META-INF/ 0 Wed Jul 15 19:44:44 BST 2009 com/rdc/ 0 Wed Jul 15 19:44:58 BST 2009 com/rdc/test/ 13 Wed Jul 15 23:37:10 BST 2009 com/rdc/test/logging.properties好的,它看起来确实已经被签名了,而且它没有类。 让我们看看
MANIFEST.MF的内容:以及
VINAY.SF的内容:现在,让我们验证一下 jar:
C:\temp>jarsigner -verify -verbose test-dest.jar 155 Wed Jul 15 23:51:34 BST 2009 META-INF/MANIFEST.MF 276 Wed Jul 15 23:51:34 BST 2009 META-INF/VINAY.SF 1131 Wed Jul 15 23:51:34 BST 2009 META-INF/VINAY.DSA 0 Wed Jul 15 23:37:18 BST 2009 META-INF/ 0 Wed Jul 15 19:44:44 BST 2009 com/rdc/ 0 Wed Jul 15 19:44:58 BST 2009 com/rdc/test/ smk 13 Wed Jul 15 23:37:10 BST 2009 com/rdc/test/logging.properties s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. Warning: This jar contains entries whose signer certificate will expire within six months. Re-run with the -verbose and -certs options for more details.从表面上看,一切似乎都在命令。 您可以检查您的证书是否已过期或被吊销吗? 您使用的是自签名证书还是真实证书? 或者我误解了你的问题是什么?
I'm not able to verify that there is any problem. Can you look through and see what might be different in your environment? I'm running on Windows 7 RC.
Let's check the version:
Let's see what'll be in our jar:
Let's make the jar:
Let's sign the jar: I'm using a self-signed certificate.
Let's see what's in our signed jar:
C:\temp>jar tvf test-dest.jar 155 Wed Jul 15 23:39:12 BST 2009 META-INF/MANIFEST.MF 276 Wed Jul 15 23:39:12 BST 2009 META-INF/VINAY.SF 1130 Wed Jul 15 23:39:12 BST 2009 META-INF/VINAY.DSA 0 Wed Jul 15 23:37:18 BST 2009 META-INF/ 0 Wed Jul 15 19:44:44 BST 2009 com/rdc/ 0 Wed Jul 15 19:44:58 BST 2009 com/rdc/test/ 13 Wed Jul 15 23:37:10 BST 2009 com/rdc/test/logging.propertiesOK, it certainly appears to have been signed, and it has no classes. Let's look at the contents of
MANIFEST.MF:And the contents of
VINAY.SF:Now, let's verify the jar:
C:\temp>jarsigner -verify -verbose test-dest.jar 155 Wed Jul 15 23:51:34 BST 2009 META-INF/MANIFEST.MF 276 Wed Jul 15 23:51:34 BST 2009 META-INF/VINAY.SF 1131 Wed Jul 15 23:51:34 BST 2009 META-INF/VINAY.DSA 0 Wed Jul 15 23:37:18 BST 2009 META-INF/ 0 Wed Jul 15 19:44:44 BST 2009 com/rdc/ 0 Wed Jul 15 19:44:58 BST 2009 com/rdc/test/ smk 13 Wed Jul 15 23:37:10 BST 2009 com/rdc/test/logging.properties s = signature was verified m = entry is listed in manifest k = at least one certificate was found in keystore i = at least one certificate was found in identity scope jar verified. Warning: This jar contains entries whose signer certificate will expire within six months. Re-run with the -verbose and -certs options for more details.On the face of it, everything appears to be in order. Can you check if your certificates have expired, or been revoked? Are you using self-signed certs or real certs? Or have I misunderstood what your problem is?
对于任何搜索此问题的人,我们确定它只影响 Java 1.5 的某些更高版本,我相信是从 1.5.0_14 开始的版本。 它似乎在最新版本的 1.5 中已修复,并且在 1.6 中肯定已修复。
For anyone searching on this issue, we determined it only affects certain later versions of Java 1.5, those from 1.5.0_14 onward, I believe. It appears to be fixed in the latest versions of 1.5, and is definitely fixed in 1.6.
如果需要,您可以放入虚拟类文件。 可能令人厌恶,但也许是必要的。
You can put dummy class files in if you need to. Probably distasteful but maybe necessary.
顺便说一句,我尝试了与 Vinay 相同的操作,但使用了 JDK 1.5.0_17 jarsigner 和正确的 Verisign 证书,并得到了相同的结果。 Jarsigner 工作了,并且使用 jarsigner -verify 验证了 jar。
BTW, I tried the same thing as Vinay, but with the JDK 1.5.0_17 jarsigner, and a proper Verisign certificate, and got the same results. Jarsigner worked, and the jar verified using jarsigner -verify.
添加一下:我正在使用 Java Web Start,并且我有一个仅包含图像的 jar。
使用 JDK 1.6_05(也包括 07、10)和 Ant 一代,它的签名没有问题(使用自签名证书)。
因此,就像其他人所描述的那样,它似乎没有链接到包含 .class 文件的 jar。
Adding about it : I'm using Java Web Start, and I have a jar which contains only images.
With a JDK 1.6_05(07, 10, too), and an Ant generation, it is signed without a problem (with a self-signed cert).
So, like others described, it doesn't seem to be linked to the jar containing .class files or not.
虽然可能性不大,但 Ant SignJar 任务 或许能够说服 jarsign做正确的事。 有很多选择可能会打破平衡。
It's a long shot, but the Ant SignJar task might be able to convince jarsign to do the right thing. There's a bunch of options there that might tip the balance.