为什么 Java Web Start 说签名的 jar 文件是未签名的?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3504705/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why does Java Web Start say a signed jar file is unsigned?
提问by Steve Emmerson
Java Web Start (JWS) says that it can't launch my application because the jar file is unsigned:
Java Web Start (JWS) 说它无法启动我的应用程序,因为 jar 文件未签名:
Error: Unsigned application requesting unrestricted access to system
Unsigned resource: .../dynaccn.jar
But the jar file issigned:
但 jar 文件已签名:
$ jarsigner -keystore ... dynaccn.jar idv
$ jar tf dynaccn.jar
META-INF/MANIFEST.MF
META-INF/IDV.SF
META-INF/IDV.RSA
META-INF/
edu/
edu/ucar/
edu/ucar/unidata/
edu/ucar/unidata/dynaccn/
App.class
...
$ jarsigner -verbose -certs -verify dynaccn.jar
28325 Tue Aug 17 09:41:58 MDT 2010 META-INF/MANIFEST.MF
28404 Tue Aug 17 09:41:58 MDT 2010 META-INF/IDV.SF
2880 Tue Aug 17 09:41:58 MDT 2010 META-INF/IDV.RSA
0 Tue Aug 17 09:41:58 MDT 2010 META-INF/
0 Mon Aug 16 10:10:34 MDT 2010 edu/
0 Mon Aug 16 10:10:34 MDT 2010 edu/ucar/
0 Mon Aug 16 10:10:34 MDT 2010 edu/ucar/unidata/
0 Mon Aug 16 10:10:34 MDT 2010 edu/ucar/unidata/dynaccn/
...
sm 486 Mon Aug 16 10:10:34 MDT 2010 App.class
X.509, CN=University Corporation for Atmospheric Research, OU=UNIDATA, O=University Corporation for Atmospheric Research, L=Boulder, ST=Colorado, C=US
[certificate will expire on 2/6/11 4:59 PM]
X.509, CN=Thawte Code Signing CA, O=Thawte Consulting (Pty) Ltd., C=ZA
[certificate is valid from 8/5/03 6:00 PM to 8/5/13 5:59 PM]
[KeyUsage extension does not support code signing]
X.509, [email protected], CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
[certificate is valid from 7/31/96 6:00 PM to 12/31/20 4:59 PM]
[CertPath not validated: null]
...
jar verified.
Warning:
This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing.
This jar contains entries whose signer certificate will expire within six months.
This jar contains entries whose certificate chain is not validated.
This jar contains signed entries that's not signed by alias in this keystore.
and both JWS and my browser have a certificate for "Thawte Premium Server CA".
并且 JWS 和我的浏览器都有“Thawte Premium Server CA”的证书。
The problem occurs even if the JWS cache and the browser download area are empty.
即使JWS缓存和浏览器下载区域为空,也会出现问题。
I don't believe the "KeyUsage" message is relevant because 1) the same certificate chain is used for another application that does launch successfully; and 2) documentation I've read indicates that the Thawte Code Signing CA is only used to verify the UNIDATA certificate and not to sign code.
我不相信“KeyUsage”消息是相关的,因为 1) 相同的证书链用于另一个成功启动的应用程序;和 2) 我读过的文档表明 Thawte 代码签名 CA 仅用于验证 UNIDATA 证书,而不用于签名代码。
My environment is Linux 2.6.27.41-170.2.117.fc10.x86_64, Firefox 3.6.8 (i686), and Java 1.7.0-ea.
我的环境是 Linux 2.6.27.41-170.2.117.fc10.x86_64、Firefox 3.6.8 (i686) 和 Java 1.7.0-ea。
Why won't this application launch?
为什么这个应用程序不会启动?
UPDATE: I've discovered that the application launches if the "codebase" attribute in the JNLP file references a local directory but not if it references a URL that lies behind user authentication. In the latter case, javaws(1) interprets the authentication webpage as a JNLP file (with obvious results) if invoked from the command-line. If invoked by the "deployJava" script from a user-authenticating webpage (so that the browser has a session cookie), then javaws(1) says that the application isn't signed. I find both of these failure modes odd as the javaws(1) documentation says that it understands user authenticating web pages and the jar file is signed.
更新:我发现如果 JNLP 文件中的“codebase”属性引用本地目录,则应用程序会启动,但如果它引用位于用户身份验证后面的 URL,则不会启动。在后一种情况下,如果从命令行调用,javaws(1) 会将身份验证网页解释为 JNLP 文件(具有明显的结果)。如果由“deployJava”脚本从用户身份验证网页调用(以便浏览器具有会话 cookie),则 javaws(1) 表示应用程序未签名。我发现这两种故障模式都很奇怪,因为 javaws(1) 文档说它理解用户身份验证网页并且 jar 文件已签名。
采纳答案by Radtoo
I'm on Gentoo Linux, running OpenJDK 7, and I think I experienced the same problem.
我在 Gentoo Linux 上运行 OpenJDK 7,我想我遇到了同样的问题。
I could not get it to work with OpenJDK 7. Only re-signing with a release of the Sun Java 6 JDK ultimately signed the application correctly. (I also re-built it all due to it being managed by ant, I don't know if that is necessary, though).
我无法让它与 OpenJDK 7 一起使用。只有使用 Sun Java 6 JDK 的发行版重新签名才能最终正确地对应用程序进行签名。(我也重新构建了它,因为它是由 ant 管理的,但我不知道是否有必要)。
Merely switching to the official JDK 6 without rebuilding only makes the "[CertPath not validated: null]" warning when varifying with "jarsigner -verify -verbose -certs" disappear, but does not appear to work in the application I ultimately use.
仅切换到官方 JDK 6 而不重建只会在使用“jarsigner -verify -verbose -certs”进行修改时出现“[CertPath not validate: null]”警告,但在我最终使用的应用程序中似乎不起作用。
回答by Bozho
- make sure you are not using a cached (unsigned) version of the jar. Clean the temp folder where JWS downloads jars
- make sure that all dependencies (jars) of your jar, that require special permissions, are also signed
- 确保您没有使用缓存(未签名)版本的 jar。清理JWS 下载 jar的临时文件夹
- 确保需要特殊权限的 jar 的所有依赖项(jar)也都已签名
回答by Nikola Yovchev
Make sure you wrap your calls in the applet with a doPrivileged block. I am unsure why it works like this but seems to work like a charm.
确保使用 doPrivileged 块将您的调用包装在小程序中。我不确定为什么它会这样工作,但似乎很有魅力。
