为什么我不断收到“对象的数字签名未验证”适用于 Windows JavaEE 安装程序
我尝试从 Oracle 网站下载 Windows Java EE 安装程序,但在检查下载文件的数字签名时,不断收到“对象的数字签名未验证”错误消息。
我已经在这个网站上尝试了以下搜索(以及在 Google 上的类似搜索,但没有成功):
- java ee +“数字签名”+“未验证”
- 1 个不相关的结果
- java ee +“数字签名”+无效
- 2 个不相关的结果
我在 3 台独立的计算机上下载了文件,每台计算机都运行不同版本的 Windows(WinXP 32 位、WinVista 32 位和 Win7 64 位),并且我得到相同的结果。运行WinXP的机器是我的笔记本电脑,我尝试在2个完全不同的网络上下载文件但没有成功。
我下载的文件是(以及证书的序列号和指纹以及签名是否有效):
- java_ee_sdk-6u3-jdk7-windows.exe
- 签名未验证
- 序列号:5e f1 dc 1e fb 1e 46 b5 de 80 ed e1 76 2a 55 a7
- 指纹:9e 2b 73 43 3c 7f f0 be 9c 2e 54 6c 46 a3 d1 6a 6c da cf 32
- java_ee_sdk-6u3-windows.exe
- 签名未验证
- 序列号:5e f1 dc 1e fb 1e 46 b5 de 80 ed e1 76 2a 55 a7
- 指纹:9e 2b 73 43 3c 7f f0 be 9c 2e 54 6c 46 a3 d1 6a 6c da cf 32
- jdk-7-windows-i586.exe
- 签名验证
- 序列号:5e f1 dc 1e fb 1e 46 b5 de 80 ed e1 76 2a 55 a7
- 指纹:9e 2b 73 43 3c 7f f0 be 9c 2e 54 6c 46 a3 d1 6a 6c da cf 32
- jdk-7-windows-x64.exe
- 签名验证
- 序列号:5e f1 dc 1e fb 1e 46 b5 de 80 ed e1 76 2a 55 a7
- 指纹:9e 2b 73 43 3c 7f f0 be 9c 2e 54 6c 46 a3 d1 6a 6c da cf 32
我下载了JDK 7 安装程序作为比较并验证其签名。从上面的序列号和指纹可以看出,所有文件都使用相同的证书进行签名。但是,Java EE 安装程序未通过签名验证。
事实上,我可以在同一台计算机上、同一网络上下载 JDK 7 安装程序和 Java EE 安装程序,这两个文件都由同一证书签名,并且具有不同的签名验证结果,这似乎意味着 Java EE安装程序在由 Oracle 签名和我收到之间已损坏。
这似乎排除了我的机器上的证书问题(因为我可以验证 JDK 7 文件 - 由同一证书签名)并指向中间人攻击或服务器上损坏的文件。然而,如果 Oracle 推出一个损坏的文件,我确信我会发现它的提及 - 因为这个问题在过去几周一直发生。
由于使用不同网络时出现问题,中间人攻击的可能性似乎会降低。
我已经尝试了所有我能想到的方法,但都一无所获。
是否有人知道其他人遇到此问题,更重要的是,是否有人对可能导致此问题的原因有任何建议?
I'm trying to download the Windows Java EE installer from Oracle's website but I continually receive "The digital signature of the object did not verify" error messages when I check the digital signature of the downloaded file.
I've tried the following searches on this site (and similar searches on Google with no success):
- java ee +"digital signature" +"did not verify"
- 1 unrelated result
- java ee +"digital signature" +invalid
- 2 unrelated results
I've downloaded the files on 3 separate machines, where each is running a different version of Windows (WinXP 32-bit, WinVista 32-bit & Win7 64-bit) and I get the same result. The machine running WinXP is my laptop, which I have tried on 2 completely different networks to download the files without success.
The files I have downloaded are (along with the certificate's serial number and thumbprint and whether the signature was valid):
- java_ee_sdk-6u3-jdk7-windows.exe
- Signature does not verify
- Serial Number: 5e f1 dc 1e fb 1e 46 b5 de 80 ed e1 76 2a 55 a7
- Thumbprint: 9e 2b 73 43 3c 7f f0 be 9c 2e 54 6c 46 a3 d1 6a 6c da cf 32
- java_ee_sdk-6u3-windows.exe
- Signature does not verify
- Serial Number: 5e f1 dc 1e fb 1e 46 b5 de 80 ed e1 76 2a 55 a7
- Thumbprint: 9e 2b 73 43 3c 7f f0 be 9c 2e 54 6c 46 a3 d1 6a 6c da cf 32
- jdk-7-windows-i586.exe
- Signature verifies
- Serial Number: 5e f1 dc 1e fb 1e 46 b5 de 80 ed e1 76 2a 55 a7
- Thumbprint: 9e 2b 73 43 3c 7f f0 be 9c 2e 54 6c 46 a3 d1 6a 6c da cf 32
- jdk-7-windows-x64.exe
- Signature verifies
- Serial Number: 5e f1 dc 1e fb 1e 46 b5 de 80 ed e1 76 2a 55 a7
- Thumbprint: 9e 2b 73 43 3c 7f f0 be 9c 2e 54 6c 46 a3 d1 6a 6c da cf 32
I downloaded the JDK 7 installers as a comparison and their signatures verify. As you can see by the serial numbers and thumbprints above, all the files are signed with the same certificate. However, the Java EE installers fail signature verification.
The fact that I can download both the JDK 7 installer and the Java EE installer on the same machine, on the same network, with both files being signed by the same certificate, and have different signature verification results would seem to imply that the Java EE installer was corrupted between being signed by Oracle and being received by me.
This seems to rule out a certificate problem on my machines (since I can verify the JDK 7 file - which is signed by the same certificate) and point to either a man-in-the-middle attack, or a corrupted file on the server. However, if Oracle were pushing out a corrupted file, I'm sure I would have found mention of it - since this problem has been occurring for the past couple of weeks.
The likelihood of a man-in-the-middle attack would appear to be reduced by the fact that the issue occurs when using different networks.
I've tried everything that I can think of and have come up empty.
Is anyone aware of others having this issue and more importantly, does anyone have any suggestions as to what may be causing this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我在下载java_ee_sdk-6u4-jdk7-windows-ml.exe后在同样问题提示的搜索中发现了这个问题;会署证书似乎已过期。在 Windows 资源管理器中:
这显然不是 2011 年 9 月 SlaY3R 的具体问题,但可能是证书路径中不同的过期证书造成的。
I found this question in a search prompted by the same problem after downloading java_ee_sdk-6u4-jdk7-windows-ml.exe; it looks like the countersigner certificate is expired. In Windows Explorer:
That was obviously not the specific problem for SlaY3R in September 2011, but it may have been a different expired cert in the cert path.
需要考虑的事情...
这不是特定于 Java 问题,但在验证我们安装的 .msi 上的签名时,我们会看到相同的错误。我运行“signtool verify /v”并发现信任链中的证书之一在我的系统上不受信任。资源管理器的文件->属性 UI 不会暴露此问题,但签名工具会暴露此问题。
现在我需要 d/l 并将一些 CA 证书安装到我们的信任列表中以解决该问题。
Something to consider...
This is isn't specific to the Java issue, but we see the same error when verifying signatures on an .msi we install. I ran 'signtool verify /v ' and discovered that one of the certs in the trust chain wasn't trusted on my system. The explorer's file->properties UI doesn't expose this issue, but the signtool did.
Now I need to d/l and install some CA certs into our trust list to clear the issue.