Jarsigner:找不到证书链
我已将证书导入到私有 ~/.keystore 文件中:
keytool -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
mylyn-mantis, Jul 15, 2010, trustedCertEntry
并尝试用它签署一个 jar,但出现“未找到证书链”错误。
jarsigner -verbose /home/robert/file.jar mylyn-mantis
jarsigner: Certificate chain not found for: mylyn-mantis. mylyn-mantis must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
我该如何解决这个问题?
I have imported a certificate into a private ~/.keystore file:
keytool -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
mylyn-mantis, Jul 15, 2010, trustedCertEntry
and am trying to sign a jar with it, but I get a 'certificate chain not found' error.
jarsigner -verbose /home/robert/file.jar mylyn-mantis
jarsigner: Certificate chain not found for: mylyn-mantis. mylyn-mantis must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
How can I solve this problem?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
看来您的密钥库仅包含一个证书(公钥),您需要一个完整的密钥条目、私钥和整个证书链才能签署任何内容
It seems that your keystore contains only a certificate (public key) you need a complete key entry, with a private key, and the whole certificate chain to be able to sign anything
简短回答
使用您的别名密钥而不是密钥存储,如下所示:
更多详细信息
以下是解决此错误的最简单方法:
或此路径:
为了防止环境变量配置引起的问题,请复制要签名的空包和你的key store【签名私钥】到JDK下的bin目录。
通过运行以下命令获取您的别名密钥:
keytool -keystore [您的密钥存储] -list -v最后运行此命令:
jarsigner -verbose -keystore [您的签名存储路径] -signedjar [签名文件名] [未签名文件名] [您的别名密钥]Short Answer
Use your alias key instead of key store like this:
More Details
Here are the easiest way to solve this error:
or this path:
To prevent issues caused by the configuration of environment variables, please copy both the empty package to be signed, and your key store [the private key for signature] to the bin directory under JDK.
Get your alias key by run this command:
keytool -keystore [your key store] -list -vFinally run this command:
jarsigner -verbose -keystore [Your signature storage path] -signedjar [signed filename] [unsigned filename] [Your alias key]我遇到了同样的问题。我有 CA 颁发的 .p12 文件,我正在尝试签署 jar 文件。但是我收到错误:
基本上我是从控制台复制别名。错误的字符“问号”(?) 导致了此错误。相反,我将 keytool 的输出重定向到文本文件,然后从那里复制别名。
发出此命令:
keytool -list -v -storetype pkcs12 -keystore“mycertificate.p12”> cert.txt
(这非常重要。始终重定向到txt文件。不要从控制台输出复制。它可能包含错误的字符)
假设该字符串是“我的别名,ap 是我的 ca 限制 ID”
使用 jarsigner:
jarsigner -storetype pkcs12 -keystore "mycertificate.p12" myjarfile.jar "我的别名,ap 是我的 ca 受限 ID"
I faced same issue. I am having .p12 file issued by CA and I was trying to sign jar file. However I was getting error:
Basically I was copying alias name from console. It was having wrong character 'question mark' (?) causing this error. Instead I redirected output of
keytoolto text file and then I copied alias name from there.Issue this command:
keytool -list -v -storetype pkcs12 -keystore "mycertificate.p12" > cert.txt
(This is very important. Always redirect to txt file. Do not copy from console output. It can contain wrong characters)
Let's say this string is "my alias name, a.p.’s my ca limited id"
Use jarsigner:
jarsigner -storetype pkcs12 -keystore "mycertificate.p12" myjarfile.jar "my alias name, a.p.’s my ca limited id"
我遇到了这个错误,但这是一个不同的问题。当您将 CSR 发送到 CA 时,它来自带有您生成的特定别名的特定私钥。当您再次收到证书时,必须使用相同的别名导入它,否则两个证书将不会连接在一起。
如果您做得正确,当您使用 keytool -list -v 时,您将看到一个带有别名的条目,其类型为
For 该条目。
如果您做错了,您将有两个
条目
I had this error, but it was a different issue. When you send off a CSR to a CA it comes from a particular private key with a particular alias that you generated. When you receive the cert back again you must import it using the same alias name or else the two certs will not be wired together.
If you have done it right, when you use keytool -list -v you wil see a single entry with the alias name, of type
For the entry.
If you have done it wrong the you will have two entries
and
我遇到此错误是因为我使用的是 Jenkins“证书”凭证。 Jenkins 凭证配置对话框有一个名为
Description的文本框,其帮助显示它是描述凭证的自由注释。事实上,Jenkins 管道块withCredentials使用Description文本框来填充aliasVariable属性中指定的环境变量。Jenkins 文档中没有提到这一点。
I encountered this error because I was using a Jenkins "certificate" credential. The Jenkins credential configuration dialog has a text box called
Description, whose help says it is a free comment describing the credential. In fact, the Jenkins pipeline blockwithCredentialsuses theDescriptiontext box to populate the environment variable named in thealiasVariableproperty.This is not mentioned in the Jenkins documentation.
mylyn-mantis应该是您生成签名密钥时使用的实际别名。mylyn-mantisshould be the actual alias name you used when you generate the signing key.简短回答
此错误消息具有误导性。当未找到别名时也会显示该信息。
详细信息
不幸的是,该错误消息具有误导性。此错误似乎在以下情况下显示:
就我而言,这是未找到别名选项。
keytool 命令打印了用
{}包围的别名,看起来只是一个包装,但它们确实是别名的一部分。因此,您应该将整个字符串作为别名
{xxxxx-xxxx-xxxx-xxxx-xxxxxxx}传递给jarsigner。我的 pfx 文件是在 Windows 证书管理器中生成的。
Short answer
This error message is misleading. It is shown also, when the alias is not found.
Details
Unfortunately the error message is misleading. This error seems to be shown when:
In my case it was the alias not found option.
The keytool command printed the alias surrounded with
{}, that look like just a wrap, but they really are part of the alias.So you should pass the whole string as an alias
{xxxxx-xxxx-xxxx-xxxx-xxxxxxx}tojarsigner.My pfx file was generated in windows certificate manager.