当前位置: 文江博客话题详情

为什么 Java Web Start 说已签名的 jar 文件未签名?

发布于 2024-09-15 02:41:46 字数 2792 浏览 2 评论 0原文

Java Web Start (JWS) 表示它无法启动我的应用程序,因为 jar 文件未签名:

Error: Unsigned application requesting unrestricted access to system
       Unsigned resource: .../dynaccn.jar

但是 jar 文件签名:

$ jarsigner -keystore ... dynaccn.jar idv
$ jar tf dynaccn.jar
META-INF/MANIFEST.MF
META-INF/IDV.SF
META-INF/IDV.RSA
META-INF/
edu/
edu/ucar/
edu/ucar/unidata/
edu/ucar/unidata/dynaccn/
App$1.class
...
$ jarsigner -verbose -certs -verify dynaccn.jar
       28325 Tue Aug 17 09:41:58 MDT 2010 META-INF/MANIFEST.MF
       28404 Tue Aug 17 09:41:58 MDT 2010 META-INF/IDV.SF
        2880 Tue Aug 17 09:41:58 MDT 2010 META-INF/IDV.RSA
           0 Tue Aug 17 09:41:58 MDT 2010 META-INF/
           0 Mon Aug 16 10:10:34 MDT 2010 edu/
           0 Mon Aug 16 10:10:34 MDT 2010 edu/ucar/
           0 Mon Aug 16 10:10:34 MDT 2010 edu/ucar/unidata/
           0 Mon Aug 16 10:10:34 MDT 2010 edu/ucar/unidata/dynaccn/
...
sm       486 Mon Aug 16 10:10:34 MDT 2010 App$1.class

      X.509, CN=University Corporation for Atmospheric Research, OU=UNIDATA, O=University Corporation for Atmospheric Research, L=Boulder, ST=Colorado, C=US
      [certificate will expire on 2/6/11 4:59 PM]
      X.509, CN=Thawte Code Signing CA, O=Thawte Consulting (Pty) Ltd., C=ZA
      [certificate is valid from 8/5/03 6:00 PM to 8/5/13 5:59 PM]
      [KeyUsage extension does not support code signing]
      X.509, [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
      [certificate is valid from 7/31/96 6:00 PM to 12/31/20 4:59 PM]
      [CertPath not validated: null]
...
jar verified.

Warning: 
This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing.
This jar contains entries whose signer certificate will expire within six months. 
This jar contains entries whose certificate chain is not validated.
This jar contains signed entries that's not signed by alias in this keystore.

并且 JWS 和我的浏览器都有“Thawte Premium Server”的证书加州”。

即使 JWS 缓存和浏览器下载区域为空,也会出现该问题。

我不认为“KeyUsage”消息相关,因为 1)相同的证书链用于另一个成功启动的应用程序; 2) 我读过的文档表明 Thawte 代码签名 CA 仅用于验证 UNIDATA 证书,而不用于签署代码。

我的环境是Linux 2.6.27.41-170.2.117.fc10.x86_64、Firefox 3.6.8 (i686)和Java 1.7.0-ea。

为什么这个应用程序无法启动?

更新:我发现,如果 JNLP 文件中的“codebase”属性引用本地目录,则应用程序会启动,但如果它引用位于用户身份验证后面的 URL,则应用程序不会启动。在后一种情况下,如果从命令行调用,javaws(1) 会将身份验证网页解释为 JNLP 文件(具有明显的结果)。如果由“deployJava”脚本从用户身份验证网页调用(以便浏览器具有会话 cookie),则 javaws(1) 表示该应用程序未签名。我发现这两种故障模式都很奇怪,因为 javaws(1) 文档说它理解用户验证网页并且 jar 文件已签名。

原文

Java Web Start (JWS) says that it can't launch my application because the jar file is unsigned:

Error: Unsigned application requesting unrestricted access to system
       Unsigned resource: .../dynaccn.jar

But the jar file is signed:

$ jarsigner -keystore ... dynaccn.jar idv
$ jar tf dynaccn.jar
META-INF/MANIFEST.MF
META-INF/IDV.SF
META-INF/IDV.RSA
META-INF/
edu/
edu/ucar/
edu/ucar/unidata/
edu/ucar/unidata/dynaccn/
App$1.class
...
$ jarsigner -verbose -certs -verify dynaccn.jar
       28325 Tue Aug 17 09:41:58 MDT 2010 META-INF/MANIFEST.MF
       28404 Tue Aug 17 09:41:58 MDT 2010 META-INF/IDV.SF
        2880 Tue Aug 17 09:41:58 MDT 2010 META-INF/IDV.RSA
           0 Tue Aug 17 09:41:58 MDT 2010 META-INF/
           0 Mon Aug 16 10:10:34 MDT 2010 edu/
           0 Mon Aug 16 10:10:34 MDT 2010 edu/ucar/
           0 Mon Aug 16 10:10:34 MDT 2010 edu/ucar/unidata/
           0 Mon Aug 16 10:10:34 MDT 2010 edu/ucar/unidata/dynaccn/
...
sm       486 Mon Aug 16 10:10:34 MDT 2010 App$1.class

      X.509, CN=University Corporation for Atmospheric Research, OU=UNIDATA, O=University Corporation for Atmospheric Research, L=Boulder, ST=Colorado, C=US
      [certificate will expire on 2/6/11 4:59 PM]
      X.509, CN=Thawte Code Signing CA, O=Thawte Consulting (Pty) Ltd., C=ZA
      [certificate is valid from 8/5/03 6:00 PM to 8/5/13 5:59 PM]
      [KeyUsage extension does not support code signing]
      X.509, [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
      [certificate is valid from 7/31/96 6:00 PM to 12/31/20 4:59 PM]
      [CertPath not validated: null]
...
jar verified.

Warning: 
This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing.
This jar contains entries whose signer certificate will expire within six months. 
This jar contains entries whose certificate chain is not validated.
This jar contains signed entries that's not signed by alias in this keystore.

and both JWS and my browser have a certificate for "Thawte Premium Server CA".

The problem occurs even if the JWS cache and the browser download area are empty.

I don't believe the "KeyUsage" message is relevant because 1) the same certificate chain is used for another application that does launch successfully; and 2) documentation I've read indicates that the Thawte Code Signing CA is only used to verify the UNIDATA certificate and not to sign code.

My environment is Linux 2.6.27.41-170.2.117.fc10.x86_64, Firefox 3.6.8 (i686), and Java 1.7.0-ea.

Why won't this application launch?

UPDATE: I've discovered that the application launches if the "codebase" attribute in the JNLP file references a local directory but not if it references a URL that lies behind user authentication. In the latter case, javaws(1) interprets the authentication webpage as a JNLP file (with obvious results) if invoked from the command-line. If invoked by the "deployJava" script from a user-authenticating webpage (so that the browser has a session cookie), then javaws(1) says that the application isn't signed. I find both of these failure modes odd as the javaws(1) documentation says that it understands user authenticating web pages and the jar file is signed.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

放飞的风筝 2024-09-22 02:41:46

我在 Gentoo Linux 上运行 OpenJDK 7,我想我遇到了同样的问题。

我无法让它与 OpenJDK 7 一起使用。只有使用 Sun Java 6 JDK 版本重新签名,最终才能正确签署应用程序。 (我还重新构建了它,因为它是由 ant 管理的,但我不知道这是否有必要)。

仅切换到官方 JDK 6 而不重建只会使使用“jarsigner -verify -verbose -certs”进行验证时的“[CertPath not valid: null]”警告消失,但在我最终使用的应用程序中似乎不起作用。

I'm on Gentoo Linux, running OpenJDK 7, and I think I experienced the same problem.

I could not get it to work with OpenJDK 7. Only re-signing with a release of the Sun Java 6 JDK ultimately signed the application correctly. (I also re-built it all due to it being managed by ant, I don't know if that is necessary, though).

Merely switching to the official JDK 6 without rebuilding only makes the "[CertPath not validated: null]" warning when varifying with "jarsigner -verify -verbose -certs" disappear, but does not appear to work in the application I ultimately use.

回复 原文
-残月青衣踏尘吟 2024-09-22 02:41:46
  1. 确保您没有使用 jar 的缓存(未签名)版本。清理 JWS 下载 jar 的临时文件夹,
  2. 确保 jar 的所有依赖项(jar),需要特殊权限的也有签名
  1. make sure you are not using a cached (unsigned) version of the jar. Clean the temp folder where JWS downloads jars
  2. make sure that all dependencies (jars) of your jar, that require special permissions, are also signed
回复 原文
葬シ愛 2024-09-22 02:41:46

确保使用 doPrivileged 块将调用包装在小程序中。我不确定它为什么会这样,但似乎很有魅力。

Make sure you wrap your calls in the applet with a doPrivileged block. I am unsure why it works like this but seems to work like a charm.

回复 原文
~没有更多了~

关于作者

撩起发的微风

暂无简介

0 文章
0 评论
21 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

lioqio

文章 0 评论 0

Single

文章 0 评论 0

禾厶谷欠

文章 0 评论 0

alipaysp_2zg8elfGgC

文章 0 评论 0

qq_N6d4X7

文章 0 评论 0

放低过去

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文