jarsigner -verify works in Java 6 but not Java 7

java keytool jarsigner
Jason Nichols picture Jason Nichols · Aug 16, 2013 · Viewed 9.9k times · Source

I've been banging my head against this for a few days and am completely stumped. Here's the rundown:

  1. I've got an Eclipse plugin project using Tycho to build via Maven 3
  2. Within Maven I've got the maven-jarsigner-plugin set up to sign jars using my keystore (see below for keystore details)
  3. I've got a code signing cert that's been signed by Thawte in my keystore

I can take any signed jar file from target/* and run 'jarsigner -verify' on it. This is what happens:

#java 6 on a VM
vagrant@test2:/vagrant/com.example.plugins.eclipse/target$ jarsigner -verify com.example.eclipse-0.1.3-SNAPSHOT.jar
jar verified.

Next:

#java 7 on a completely different vm
vagrant@test1:/vagrant$ jarsigner -verify com.example.eclipse-0.1.3-SNAPSHOT.jar
jar verified.

Warning:
This jar contains entries whose certificate chain is not validated.

Re-run with the -verbose and -certs options for more details.

I've take care not to use a machine with both Java6 and Java7 installed, so it's not this issue

I also don't believe it's algorithm based, as described in this issue, since I can sign the project using either Java 6 or Java 7 and it always verifies in Java6 and never verifies in Java7, regardless of which environment I signed the jars with.

Here's the output of keytool -list

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

root, Aug 11, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81
intermediate, Aug 11, 2013, trustedCertEntry,

I have to believe that this is a certificate chain issue because I am able to verify the jar using the following command on Java 7:

jarsigner -verify -keystore keystore com.example.eclipse-0.1.3-SNAPSHOT.jar

Obviously I can't have every user of my plugin using my keystore file, so that's not a solution. It does however, reinforce that I have a cert chain issue in Java 7. Thoughts?

Answer

J-Boss picture J-Boss · Aug 24, 2013

The answer to your problem is you are using SUN as your keystore provider java 6 was released prior to oracle purchasing SUN and java 7 was released after and many of the Sun packages are now deprecated. You can verify this here.

Oracle has kept support for the deprecated SUN keystore provider but now requires that a warning be issued same as if you had used any deprecated feature.

There is a long detailed description written by Oracle on why you shouldn't use the SUN provider for security signing in the JCA Documentation on their website.

The only thing that will "fix" this is to change your keystore provider to and oracle acceptable one, you can find them in the same security documentation linked to above.

Hope that helps.

Related questions

How to convert .pfx file to keystore with private key?

I need to sign Android application (.apk). I have .pfx file. I converted it to .cer file via Internet Explorer and then converted .cer to .keystore using keytool. Then I've tried to sign .apk with jarsigner but it says that .…

Read More
Jarsigner: certificate chain not found for

I have imported a certificate into a private ~/.keystore file: keytool -list Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry mylyn-mantis, Jul 15, 2010, trustedCertEntry and am trying to sign a jar with it, but I get …

Read More
Keytool and jarsigner tool

I have developed a blackberry application which I have loaded in the BB device. But as we know, without signing the application with RIM we can't run the application on the device. Is there any way which I can create …

Read More