How to get jarsign to sign jarfiles?

Question

How to get jarsign to sign jarfiles?

Our product is stopped on Java version 1.5.0_13, and we would like to update it. Our software deploys a large number of cans through Java Web Start; all of these banks must be signed. However, a couple of banners do not contain class files and, starting with Java version 1.5.0_14, it seems that the jarsign utility chooses not to sign a jar that does not contain class files.

What can I do to get jarsign to sign these banks? Or what can I do to distribute these banks through Java Web Start without signing them? And is there somewhere where this jarsign change with versions 1.5.0_14 and higher is documented? I can not find it in the notes.

+4

java jar jarsigner

skiphoppy Jun 10 '09 at 16:41

source share

6 answers

For those who are looking for this problem, we have determined that this only affects some later versions of Java 1.5, which I assume are from 1.5.0_14. It seems to be fixed in recent versions 1.5 and definitely fixed in version 1.6.

+2

skiphoppy Sep 03 '09 at 14:37

source share

You can put dummy class files if you need to. Probably unpleasant, but perhaps necessary.

+1

Joshua Jun 10 '09 at 16:45

source share

This is a long shot, but Ant's SignJar task can convince jarsign to do the right thing. There are many options that can overturn the balance.

+1

skaffman Jul 14 '09 at 20:14

source share

By the way, I tried the same as Vinay, but with JDK 1.5.0_17 jarsigner and proper Verisign certificate, and got the same results. Jarsigner worked, and the jar was verified using jarsigner -verify.

+1

Scott McIntyre Jul 17 '09 at 21:16

source share

Addendum about this: I am using Java Web Start, and I have a jar containing only images. With JDK 1.6_05 (07, 10 too) and the Ant generation, it is signed without problems (with a self-signed certificate). So, like the others described, it does not seem to be associated with a jar containing .class files or not.

+1

Gnoupi Jul 20 '09 at 13:53

source share

Vinay sajip · Accepted Answer · 2009-07-15T22:57:02+0000

I can not check if there are any problems. Can you browse and see what may be different in your environment? I am working on windows 7 rc.

Check version:

  C: \ temp> java -version
 java version "1.5.0_14"
 Java (TM) 2 Runtime Environment, Standard Edition (build 1.5.0_14-b03)
 Java HotSpot (TM) Client VM (build 1.5.0_14-b03, mixed mode, sharing)

See what will be in our bank:

  C: \ temp> dir / s / b com
 C: \ temp \ com \ rdc
 C: \ temp \ com \ rdc \ test
 C: \ temp \ com \ rdc \ test \ logging.properties

Make a jar:

  C: \ temp> jar -cfv test-source.jar com / *
 added manifest
 adding: com / rdc / (in = 0) (out = 0) (stored 0%)
 adding: com / rdc / test / (in = 0) (out = 0) (stored 0%)
 adding: com / rdc / test / logging.properties (in = 13) (out = 15) (deflated -15%)

Sign the jar: I use a self-signed certificate.

  C: \ temp> jarsigner -signedjar test-dest.jar test-source.jar vinay
 Enter Passphrase for keystore:

 Warning: The signer certificate will expire within six months.

Let's see what is in our signed bank:

  C: \ temp> jar tvf test-dest.jar
    155 Wed Jul 15 23:39:12 BST 2009 META-INF / MANIFEST.MF
    276 Wed Jul 15 23:39:12 BST 2009 META-INF / VINAY.SF
   1130 Wed Jul 15 23:39:12 BST 2009 META-INF / VINAY.DSA
      0 Wed Jul 15 23:37:18 BST 2009 META-INF /
      0 Wed Jul 15 19:44:44 BST 2009 com / rdc /
      0 Wed Jul 15 19:44:58 BST 2009 com / rdc / test /
     13 Wed Jul 15 23:37:10 BST 2009 com / rdc / test / logging.properties

OK, it looks like it was signed and it has no classes. View the contents of MANIFEST.MF :

  Manifest-Version: 1.0
 Created-By: 1.5.0_14 (Sun Microsystems Inc.)

 Name: com / rdc / test / logging.properties
 SHA1-Digest: Ob / S + a7TLh + aKYGEFIDugM12S88 =

And the contents of VINAY.SF :

  Signature-Version: 1.0
 Created-By: 1.5.0_14 (Sun Microsystems Inc.)
 SHA1-Digest-Manifest-Main-Attributes: 4bEkze9MHmgfBoY + fnoS1V9bRPs =
 SHA1-Digest-Manifest: YB8QKIAQPjEYh8PkuGA5G8pW3tw =

 Name: com / rdc / test / logging.properties
 SHA1-Digest: qXCyrUvUALII7SBNEq4R7G8lVQQ =

Now check the box:

  C: \ temp> jarsigner -verify -verbose test-dest.jar

          155 Wed Jul 15 23:51:34 BST 2009 META-INF / MANIFEST.MF
          276 Wed Jul 15 23:51:34 BST 2009 META-INF / VINAY.SF
         1131 Wed Jul 15 23:51:34 BST 2009 META-INF / VINAY.DSA
            0 Wed Jul 15 23:37:18 BST 2009 META-INF /
            0 Wed Jul 15 19:44:44 BST 2009 com / rdc /
            0 Wed Jul 15 19:44:58 BST 2009 com / rdc / test /
 smk 13 Wed Jul 15 23:37:10 BST 2009 com / rdc / test / logging.properties

   s = signature was verified
   m = entry is listed in manifest
   k = at least one certificate was found in keystore
   i = at least one certificate was found in identity scope

 jar verified.

 Warning: This jar contains entries whose signer certificate will expire within
 six months.  Re-run with the -verbose and -certs options for more details.

At first glance, everything looks fine. Can you check if your certificates have expired or been canceled? Do you use self-signed certificates or real certificates? Or did I misunderstand what your problem is?

How to get jarsign to sign jarfiles?

More articles: