The workaround is to contact GoDaddy and have them reissue your organization's certificate. During the certificate setup process, you must select a SHA-1 codesign certificate instead of SHA-2. The option to select SHA-1 will only be available if you certificate validity does not extend to 2016 (see below), so make sure they understand your end goal is to recreate your SHA-2 certificate as SHA-1, so they know to sell you a cert with the correct validity period.

解决方法是联系 GoDaddy 并让他们重新颁发您组织的证书。在证书设置过程中，您必须选择 SHA-1 协同签名证书而不是 SHA-2。选择 SHA-1 的选项仅在您的证书有效期未延长至 2016 年时才可用（见下文），因此请确保他们了解您的最终目标是将您的 SHA-2 证书重新创建为 SHA-1，以便他们知道向您出售具有正确有效期的证书。

I traded my SHA-2 cert for a SHA-1 today, and GoDaddy's Java Code Signing instructionsworked perfectly.

我今天将我的 SHA-2 证书换成了 SHA-1，GoDaddy 的 Java 代码签名说明运行良好。

GoDaddy informed me Keytool may have trouble importing a certificate response chain generated from their SHA-2 (2048 length) codesign certificate. I withhold judgment of Keytool since it imports SHA-2 certs fine when the GoDaddy's root SHA1 cert is lopped from the pem file per @mogsie's answer.

GoDaddy 告诉我，Keytool 可能无法导入从其 SHA-2（2048 长度）代码签名证书生成的证书响应链。我保留对 Keytool 的判断，因为当根据 @mogsie 的回答从 pem 文件中删除 GoDaddy 的根 SHA1 证书时，它可以很好地导入 SHA-2 证书。

GoDaddy goes with SHA-2 automatically when it grants codesign certificates that will extend into 2017 because Microsoft will not accept less than SHA-2 beginning January 1, 2016, so if you're in the market for a SHA-1 certificate, it will have short-term validity.

当 GoDaddy 授予将延续到 2017 年的协同签名证书时，它会自动使用 SHA-2，因为 Microsoft 不会接受从2016 年 1 月 1 日开始的低于 SHA-2 的证书，因此如果您在市场上购买 SHA-1 证书，它将具有短期有效性。

The issue might go away with a Java Keytool update (I was working with 1.6), or if GoDaddy's Sha256withRSA self-signed certificate becomes widely trusted.

该问题可能会随着 Java Keytool 更新（我使用 1.6 版）而消失，或者如果 GoDaddy 的 Sha256withRSA 自签名证书得到广泛信任。

keytool -import -trustcacerts -keystore codesignstore -storepass <yourstorepwd> -alias codesigncert -file mycert.cer

First thing, you ** MUST HAVE ** the mycert.cer file. Otherwise, you do not have the ability to import the cert.

首先，您 ** 必须拥有 ** mycert.cer 文件。否则，您将无法导入证书。

Get a "lay of the land" - What is in the current keystore file? We want to list (or show) what is in the keystore..

获得“土地” - 当前密钥库文件中有什么？我们想列出（或显示）密钥库中的内容。

keytool -list -v -keystore codesignstore

If it prompts you for the password, you can just press the ENTER key and it will bark about it not being trusted, but for expediency, it is fine.

如果它提示您输入密码，您只需按 ENTER 键，它就会吠叫它不受信任，但为了方便起见，这很好。

If you want to "pump" the results into a text file..

如果你想将结果“泵”到一个文本文件中..

echo.|keytool -list -v -keystore codesignstore > kstore_result.txt

Note: the echo. does like what I previously mentioned about "pressing ENTER" so don't become too attached to that. :)

注：回声。确实喜欢我之前提到的“按 ENTER”，所以不要太执着于此。:)

keytool -genkey -alias codesigncert -keyalg RSA -validity 1825 -keysize 2048 -keypass <yourstorepwd> -keystore codesignstore -storepass <yourstorepwd>

Other options:

其他选项：

-genkey = generate a key
-keyalg RSA = use RSA's key alogorithm
-validity 1825 = how long is the key good for?  Primarily used with self-signed certs as the certs from verisign or Thawte have their own expiration
-keysize 2048 = Is this a 1024 or 2048-bit enryption?
-keypass <yourstorepwd>
-keystore codesignstore
-storepass <yourstorepwd>

Thing you have to be very careful of here and Support will not tell you about this.. If you try to import other certs alongside the existing ones, you need to be careful you don't botch the whole thing. :)

在这里你必须非常小心，支持部门不会告诉你这件事。如果你尝试在现有证书旁边导入其他证书，你需要小心不要把整个事情搞砸。:)

If you do have a problem of course, you can delete the alias and import again..

当然，如果确实有问题，可以删除别名并重新导入。

keytool -delete -alias codesigncert -storepass <yourstorepwd> -keystore codesignstore

One of the things that I like to do is to "stack" the command to be sure that I work down through the list.

我喜欢做的一件事是“堆叠”命令以确保我在列表中工作。

For example, you have from Godaddy:

例如，您从 Godaddy 获得：

keytool -import -trustcacerts -keystore codesignstore -storepass <yourstorepwd> -alias codesigncert -file mycert.cer

Then, I take each command and set it up like the following to "walk" down the list:

然后，我使用每个命令并按如下方式设置它以“沿着”列表“走”：

keytool
-import
-trustcacerts
-keystore codesignstore
-storepass <yourstorepwd>
-alias codesigncert
-file mycert.cer

Then, looking at this list, does my version of keytool support each of these? You have -import as the first..

然后，看看这个列表，我的 keytool 版本是否支持这些？你有 -import 作为第一个..

I just ran keytool -help and I don't see: -import, but do see -importcert

我刚刚运行了 keytool -help，但没有看到：-import，但确实看到了 -importcert

There maybe an issue there?

那里可能有问题？

Oracle shows us.. http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html

Oracle 向我们展示了 .. http://docs.oracle.com/javase/6/docs/technotes/tools/windows/keytool.html

So, you may have to make some adjustments..

所以，你可能需要做一些调整..

Here is one that I setup on on of our local Apache Tomcat servers (Windows):

这是我在本地 Apache Tomcat 服务器 (Windows) 上设置的一个：

%JAVA_HOME%\bin\keytool -delete -alias tomcat -storepass somepass -keystore %JAVA_HOME%\bin\.keystore

And then..

进而..

%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA -validity 1825 -keysize 2048 -keypass somepass -keystore %JAVA_HOME%\bin\.keystore -storepass somepass
What is your first and last name?
  [Unknown]:  secure.someserver.com
What is the name of your organizational unit?
  [Unknown]:  COMPANY
What is the name of your organization?
  [Unknown]:  COMPANY
What is the name of your City or Locality?
  [Unknown]:  ANYTOWN
What is the name of your State or Province?
  [Unknown]:  MI
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=secure.someserver.com, OU=COMPANY, O=COMPANY, L=ANYTOWN, ST=MI, C=US correct?
  [no]:  yes

Note: When you run this, you will not see if it is successful or not.

注意：当你运行这个时，你不会看到它是否成功。

Let's start here and see what the results are..

让我们从这里开始，看看结果是什么..

I found that of the four certificates you get from the godaddy PEM download, the first one is the self-signed root certificate.

我发现你从godaddy PEM下载得到的四个证书中，第一个是自签名根证书。

To see the chain (on unix):

要查看链（在 unix 上）：

keytool -printcert -file response-from-godaddy.pem | grep -C1 ^Owner

The response shows the four certificates that make up the chain, all the way to the root.

响应显示了组成链的四个证书，一直到根。

Certificate[1]:
Owner: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
--
Certificate[2]:
Owner: CN=Go Daddy Root Certificate Authority - G2, OU=https://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
--
Certificate[3]:
Owner: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
--
Certificate[4]:
Owner: CN=REDACTED
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

Apparently the first one is already in the Java standard cacertsas the trusted root certificate. The fact that it is in the .pem file trips keytoolup.

显然，第一个已经在 J​​ava 标准中cacerts作为受信任的根证书。它在 .pem 文件中的事实会跳闸keytool。

I struggled with the same problem rekeying a few times, and I got lucky:

我在重新键入密钥时遇到了同样的问题，但我很幸运：

• Open up the PEM file.
• Delete the first blockof ----BEGINto ----END,
• Run your keytool -importon the file containing the remaining three certificates.

• 打开 PEM 文件。
• 删除第一个块的----BEGIN到----END，
• 运行keytool -import包含其余三个证书的文件。

Presto!

快！

keytool -importcert -v -trustcacerts -keystore XXX -alias codesigning -file 234.pem

Result:

结果：

Certificate reply was installed in keystore
[Storing XXX]

@Waterbear Thanks so much for your solution about getting an SHA-1 certificate instead of SHA-2. This was definitely the problem I was having. (I would have posted this underneath your comment, but StackOverflow said it was way too long.) I had gotten a 3-year certificate, and by default GoDaddy gives an SHA-2 for certificates expiring after a certain date. However, even when I re-keyed and asked for an SHA-1, I still ended up with an SHA-2. I had to revokemy certificate and then start the process from scratch to get an SHA-1 certificate. (By starting from scratch, I mean GoDaddy must againverify your company and phone number and all that.) By the way, if you do revoke your certificate, make sure you ask GoDaddy for permission first because technically they don't have to give you a refund. In addition, I wasn't able to get a 3-year certificate because anything that expires after a certain date (2016?) must be SHA-2 and not SHA-1. I basically had to get a refund for my 3-year certificate and instead get a 1-year certificate to even have the SHA-1 option. But after going with SHA-1, GoDaddy's instructions in approach#1 worked fine. I would recommend doing generating your CSR manually using the keytool command (instead of automatically through a web browser). Later, you just download the PEM file and import it into the keystore using the keytool command. (This is what GoDaddy's describes in "approach 1" in the link posted in the question.)

@Waterbear 非常感谢您提供有关获取 SHA-1 证书而不是 SHA-2 证书的解决方案。这绝对是我遇到的问题。（我会在您的评论下方发布这个，但 StackOverflow 说它太长了。）我已经获得了 3 年的证书，默认情况下，GoDaddy 为在特定日期后到期的证书提供 SHA-2。然而，即使我重新键入并要求 SHA-1，我仍然得到了 SHA-2。我不得不撤销我的证书，然后从头开始这个过程以获得 SHA-1 证书。（从头开始，我的意思是 GoDaddy 必须再次验证您的公司和电话号码以及所有这些。）顺便说一句，如果您确实撤销了您的证书，请务必先向 GoDaddy 征求许可，因为从技术上讲，他们不必给您退款。此外，我无法获得 3 年期证书，因为在某个日期（2016 年？）之后到期的任何内容都必须是 SHA-2 而不是 SHA-1。我基本上不得不为我的 3 年证书退款，而是获得 1 年证书，甚至有 SHA-1 选项。但是在使用 SHA-1 之后，GoDaddy 在方法#1 中的说明运行良好。我建议使用 keytool 命令手动生成您的 CSR（而不是通过 Web 浏览器自动生成）。稍后，您只需下载 PEM 文件并使用 keytool 命令将其导入密钥库。（这是 GoDaddy 在“方法 1”中描述的

Lastly if you do have to have a certificate reissued, and go through this process again, I would highly recommend choosing another company besides GoDaddy for code-signing. Their tech support was absolutely horrendous. Their support techs even admitted to me they weren't trained in this. The hours spent on this issue greatly offset any money saved on the cert.

最后，如果您确实必须重新颁发证书，并再次执行此过程，我强烈建议您选择除 GoDaddy 之外的另一家公司进行代码签名。他们的技术支持绝对是可怕的。他们的支持技术人员甚至向我承认他们没有接受过这方面的培训。在这个问题上花费的时间大大抵消了证书上节省的任何钱。

The answer, as mentioned by Waterbear, is to have your GoDaddy cert reissued or rekeyed by GoDaddy using SHA-1. The reasonis that GoDaddy has two CA servers: Class 2 CAwhich is used for signing SHA-1certificates, and G2 CAwhich is used for signing SHA-2certificates. While the older Class 2 CAistrusted by the Java Truststore (and thus SHA-1 certificatesare trusted), the newer G2 CAis not, so its SHA-2certificates are not trusted unless you manually install its root certificate (which defeats the purpose of buying a cert in the first place). Hopefully GoDaddy's G2 CAbecomes trusted by the Java Truststore soon (Before 2016!), but until that happens a GoDaddy SHA-2cert is no better than a self-signed cert.

正如 Waterbear 所提到的，答案是让 GoDaddy 使用SHA-1. 的原因是，GoDaddy的有两个CA服务器：Class 2 CA这是用于签名SHA-1的证书，并且G2 CA这是用于签名SHA-2的证书。虽然旧Class 2 CA的受 Java Truststore 信任（因此SHA-1 certificates受信任），但较新G2 CA的不是，因此SHA-2除非您手动安装其根证书（这首先违背了购买证书的目的），否则其证书不受信任。希望 GoDaddyG2 CA很快就会被 Java Truststore 信任（在 2016 年之前！），但在此之前，GoDaddySHA-2cert 并不比自签名证书好。

Here's what I did..

这就是我所做的..

keytool -v -genkey -dname "CN=XXX, OU=YYY, O=ZZZ, L=CCC, ST=SSS, C=US" -alias myKey -keypass abc123 -keystore myKeystore -storepass abc123 -validity 1096 -keyalg RSA -keysize 2048 -sigalg SHA1withRSA

keytool -v -genkey -dname "CN=XXX, OU=YYY, O=ZZZ, L=CCC, ST=SSS, C=US" -alias myKey -keypass abc123 -keystore myKeystore -storepass abc123 -validity 1096 -keyalg RSA -keysize 2048 -sigalg SHA1withRSA

keytool -certreq -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -v -alias myKey -file mycsr.pem -keystore myKeystore -storepass abc123

keytool -certreq -keyalg RSA -keysize 2048 -sigalg SHA1withRSA -v -alias myKey -file mycsr.pem -keystore myKeystore -storepass abc123

Submit request (mycsr.pem) to GoDaddy, download PEM file (1b27b7d7a29a06.pem in this case).

向 GoDaddy 提交请求 (mycsr.pem)，下载 PEM 文件（在本例中为 1b27b7d7a29a06.pem）。

The downloaded PEM file contains my signed certificate along with others in the certificate chain. I found keytool would not accept the PEM file as downloaded. I had to remove my certificate from downloaded certificate. I did this via Key Store Explorer (http://keystore-explorer.sourceforge.net/) Use the "Examine a Certificate" option, open the PEM file received from Godaddy (1b27b7d7a29a06.pem) click on the your certificate (not one of the others from GoDaddy), click on "PEM", click on "Export". I named this certificate 1b27b7d7a29a06-mycert.pem.

下载的 PEM 文件包含我的签名证书以及证书链中的其他证书。我发现 keytool 不接受下载的 PEM 文件。我不得不从下载的证书中删除我的证书。我通过 Key Store Explorer ( http://keystore-explorer.sourceforge.net/) 使用“检查证书”选项，打开从 Godaddy 收到的 PEM 文件 (1b27b7d7a29a06.pem) 单击您的证书（不是来自 GoDaddy 的其他人），点击“PEM”，点击“导出”。我将此证书命名为 1b27b7d7a29a06-mycert.pem。

Download the root (gdroot-g2.crt) and intermediate (gdig2.crt) certificates from GoDaddy (https://certs.godaddy.com/anonymous/repository.pki)

从 GoDaddy ( https://certs.godaddy.com/anonymous/repository.pki)下载根 (gdroot-g2.crt) 和中间 (gdig2.crt) 证书

Note that these are/one must use the GoDaddy G2 root and intermediate certificates.

请注意，这些是/一个必须使用 GoDaddy G2 根证书和中间证书。

Next install these certificates in this order:

接下来按以下顺序安装这些证书：

keytool -v -importcert -trustcacerts -keystore myKeystore -storepass abc123 -file gdroot-g2.crt -alias gdroot-g2

keytool -v -importcert -trustcacerts -keystore myKeystore -storepass abc123 -file gdroot-g2.crt -alias gdroot-g2

keytool -v -importcert -trustcacerts -keystore myKeystore -storepass abc123 -file gdig2.crt -alias gdig2

keytool -v -importcert -trustcacerts -keystore myKeystore -storepass abc123 -file gdig2.crt -alias gdig2

keytool -v -importcert -keystore myKeystore -storepass abc123 -alias myKey -file 1b27b7d7a29a06-mycert.pem

keytool -v -importcert -keystore myKeystore -storepass abc123 -alias myKey -file 1b27b7d7a29a06-mycert.pem

now you can sign your app:

现在您可以签署您的应用程序：

jarsigner -keystore myKeystore -storepass abc123 -sigalg SHA1withRSA -digestalg SHA-1 time.jar mykey

jarsigner -keystore myKeystore -storepass abc123 -sigalg SHA1withRSA -digestalg SHA-1 time.jar mykey

I have to say,

我不得不说，

this whole Java signing bs seems to be a singular method for Java not to die off in favor of better code options.

整个 Java 签名 bs 似乎是 Java 不会因为更好的代码选项而消亡的一种单一方法。

In reality I think it is killing java. I would rather use any other method of coding (php/flash/etc)then ever use Java again. Way to go Oracle!

实际上，我认为它正在杀死 java。我宁愿使用任何其他编码方法，(php/flash/etc)然后再使用 Java。Way to go Oracle!

I had the certificate error (CA not trusted) using the Chrome/FF java plugin to deploy an application from my webserver (so not a java applet). Problem was solved for me when adding other Godaddy (intermediate) CA certs to my web server. I created a ticket with godaddy and they responded (quite rapidly)

我使用 Chrome/FF java 插件从我的网络服务器（所以不是 java 小程序）部署应用程序时出现证书错误（CA 不可信）。将其他 Godaddy（中间）CA 证书添加到我的 Web 服务器时，问题已为我解决。我用 Godaddy 创建了一张票，他们回复了（很快）

Dear Sir or Madam,

Thank you for contacting secure certificate support. You will need to use the intermediate certificate bundle with the cross certificate and the G1 root certificate. This will resolve this issue. You can obtain the certificates listed below at https://certs.godaddy.com/repository.

Intermediate certificate bundle - gdig2_bundle.crt Root certificate - gd-class2-root.crt

亲爱的先生或女士，

感谢您联系安全证书支持。您将需要使用带有交叉证书和 G1 根证书的中间证书包。这将解决这个问题。您可以在https://certs.godaddy.com/repository获取下面列出的证书。

中间证书包 - gdig2_bundle.crt 根证书 - gd-class2-root.crt

Since I enjoyed (not) the process of creating a codesinging certificate so much, I thought I would share the process I went thru, and hopefully when you need to generate your own, this will save you some of the heartache and pain .

由于我非常喜欢（不）创建编码证书的过程，我想我会分享我经历的过程，希望当您需要生成自己的证书时，这将为您节省一些心痛和痛苦。

I used godaddy , but I have to believe whoever the CA is the steps should be very similar.

我使用了 Godaddy ，但我必须相信无论 CA 是谁，步骤都应该非常相似。

These are the steps I went thru:

这些是我经历的步骤：

(note that godaddy does not create a codesigning certificate in jks format and there is an extra step involved to convert the keystore to jks)

（请注意，godaddy 不会创建 jks 格式的代码签名证书，并且将密钥库转换为 jks 还需要一个额外的步骤）

Create keystore:

创建密钥库：

keytool -genkey -alias codesigncert -keypass yourpassword -keyalg RSA - keysize 2048 -dname "cn=server1.lccc.edu, OU=College Name , O=College Name , L=Schnecksville, ST=Pennsylvania,C=US" - keystore /home/oracle/codesignstore/codesignstore -storepass yourpassword -validity 720 (storepass and keypass can be the same)

keytool -genkey -alias codesigncert -keypass yourpassword -keyalg RSA - keysize 2048 -dname "cn=server1.lccc.edu, OU=College Name , O=College Name , L=Schnecksville, ST=Pennsylvania,C=US" - 密钥库/home/oracle/codesignstore/codesignstore -storepass yourpassword -validity 720（storepass 和 keypass 可以相同）

Generater crt for godaddy

Godaddy 的生成器 crt

keytool -certreq -v -alias codesigncert - file /home/oracle/codesignstore/codesignstore.pem - keystore /home/oracle/codesignstore/codesignstore

keytool -certreq -v -alias codesigncert - 文件 /home/oracle/codesignstore/codesignstore.pem - 密钥库 /home/oracle/codesignstore/codesignstore

using an editor open codesignstore.pem and paste it into the godaddy site

使用编辑器打开 codesignstore.pem 并将其粘贴到 Godaddy 站点

when godaddy verifies the account and you pay your money the 'pending' status will go away

当 Godaddy 验证帐户并且您付款时，“待处理”状态将消失

go to your godaddy account (https://mya.godaddy.com/)

转到您的 Godaddy 帐户 ( https://mya.godaddy.com/)

click on myaccount at the top of the page (in the black header)

单击页面顶部的我的帐户（在黑色标题中）

click on manage SSL Certificates

单击管理 SSL 证书

select the codesigning certificate listed

选择列出的代码签名证书

click on the Launch button

点击启动按钮

download the file as a PEM file

将文件下载为 PEM 文件

save it on your local pc

将其保存在您的本地电脑上

open firefox, in the advanced section select view certificates, and the

打开firefox，在高级部分选择查看证书，然后

certificate should be listed on the managed views.

证书应列在托管视图上。

highlight the certificate and select backup (export) and save it as a pkcs12 file

突出显示证书并选择备份（导出）并将其另存为 pkcs12 文件

click on view certificates at the top of the screen next to certificate viewer is the alias in double quotes, right this down it will be the alias to be used on the jarsigner command below

单击屏幕顶部的“查看证书”旁边的“证书查看器”是双引号中的别名，向右下方将是要在下面的 jarsigner 命令中使用的别名

copy the file to the server where the codesigning certificate is going to be

将文件复制到代码签名证书所在的服务器

used: (e.g server1 /home/oracle/code_sign_cert_from_godaddy/ godaddy_pkcs12.p12) * this is the new keystore

使用：（例如 server1 /home/oracle/code_sign_cert_from_godaddy/godaddy_pkcs12.p12）* 这是新的密钥库

since the keystore has to be of the type jks, and godaddy does't create a jks file it has to be converted to jks format

由于密钥库必须是 jks 类型，而 Godaddy 不会创建 jks 文件，因此必须将其转换为 jks 格式

convert pcks12 to jks

将 pcks12 转换为 jks

keytool -importkeystore - srckeystore /home/oracle/code_sign_cert_from_godaddy/godaddy_pkcs12. p12 -srcstoretype pkcs12 - destkeystore /home/oracle/code_sign_cert_from_godaddy/godaddy_jks.jks -deststoretype jks

keytool -importkeystore - srckeystore /home/oracle/code_sign_cert_from_godaddy/godaddy_pkcs12。p12 -srcstoretype pkcs12 - destkeystore /home/oracle/code_sign_cert_from_godaddy/godaddy_jks.jks -deststoretype jks

jar file processing:

jar文件处理：

unsign jacob.jar... i copied the jacob.jar file to a test directory /test_jacob and renamed it jacob1.jar (note 760815.1)

取消对 jacob.jar 的签名...我将 jacob.jar 文件复制到测试目录 /test_jacob 并将其重命名为 jacob1.jar（注 760815.1）

jar xf jacob1.jar

jar xf jacob1.jar

extracts into "com" and "META-INF" folders, remove the "META-INF" folder

解压到“com”和“META-INF”文件夹，删除“META-INF”文件夹

remove the old jacob1.jar

删除旧的 jacob1.jar

recreate the jacob1.jar from the /test_jacob directory

从 /test_jacob 目录重新创建 jacob1.jar

jar -cvf jacob1.jar *

jar -cvf jacob1.jar *

run jarsigner -verify jacob1.jar, should show unisigned.

运行 jarsigner -verify jacob1.jar，应该显示未签名。

create a text file call mymanifest.txt

创建一个文本文件调用 mymanifest.txt

  Permissions: all-permissions

  Codebase: *

  Application-Name: OracleForms

jar -ufm jacob1.jar mymanifest.txt (this puts the new manifest info into the jar file)..

jar -ufm jacob1.jar mymanifest.txt（这会将新的清单信息放入 jar 文件中）。

you can open jacob1.jar with the unzip jacob1.jar -d directory where unzip will reside to verify that the mymanifest.txt file is now part of the jar file.

您可以使用 unzip jacob1.jar -d 目录打开 jacob1.jar 以验证 mymanifest.txt 文件现在是 jar 文件的一部分。

sign jar file

签署jar文件

jarsigner - keystore /home/oracle/code_sign_cert_from_godaddy/godaddy_jks.jks - storepass yourpassword - signedjar /home/oracle/Oracle/Middleware/Oracle_FRHome1/forms/java/tes t_jacob/Signedjacob1.jar jacob1.jar "lehigh carbon community college's godaddy.com, inc. id" (this alias came from the firefox process above)

jarsigner - 密钥库 /home/oracle/code_sign_cert_from_godaddy/godaddy_jks.jks - storepass yourpassword - signedjar /home/oracle/Oracle/Middleware/Oracle_FRHome1/forms/java/tes t_jacob/Signedjacob1.jar jacob1.jar "lehigh carbon community College.com" , inc. id”（这个别名来自上面的 firefox 进程）

the -signedjar file option was required, without it I was getting errors

需要 -signedjar 文件选项，没有它我会收到错误

note the alias is always the last entry on the jarsigner command and

请注意，别名始终是 jarsigner 命令的最后一个条目，并且

there is no –alias option as there was on the keytool command

没有 –alias 选项，因为在 keytool 命令上有

verify jar file is signed

验证 jar 文件是否已签名

jarsigner -verify Signedjacob1.jar will display:

jarsigner -verify Signedjacob1.jar 将显示：

jar verified.

罐子验证。

show whats in the jar file

显示 jar 文件中的内容

jar -tvf Signedjacob1.jar

jar -tvf 签名jacob1.jar

the .SF file is insided the .jar file, the .DSA file is replaced by the .RSA

.SF 文件在 .jar 文件中，.DSA 文件被 .RSA 替换

file which is also inside the .jar file

也在 .jar 文件中的文件

from the output of the jar -tvf Signedjacob1.jar

从 jar -tvf Signedjacob1.jar 的输出

2721 Mon May 05 15:57:08 EDT 2014 META-INF/LEHIGH_C.SF

2721 Mon May 05 15:57:08 EDT 2014 META-INF/LEHIGH_C.SF

4231 Mon May 05 15:57:08 EDT 2014 META-INF/LEHIGH_C.RSA

4231 Mon May 05 15:57:08 EDT 2014 META-INF/LEHIGH_C.RSA

I copied the Signedjacob1.jar file to the $ORACLE_HOME/forms/java directory and then using the

我将 Signedjacob1.jar 文件复制到 $ORACLE_HOME/forms/java 目录，然后使用

login to the weblogic enterprise manager

登录weblogic企业管理器

I changed the webutilarchive parameter from Jacob.jar to Signedjacob1.jar for each instance

我将每个实例的 webutilarchive 参数从 Jacob.jar 更改为 Signedjacob1.jar

( em >>forms>>web configuration >> instance name >> all (the first entry should be the archive parameter)

( em >>forms>>web configuration >> instance name >> all (第一个条目应该是存档参数)

When changing the jacob.jar to the Signedjacob1.jar , I did it for each of my test instances before I did it for production, just in case.

将 jacob.jar 更改为 Signedjacob1.jar 时，为了以防万一，我在将其用于生产之前为每个测试实例进行了更改。

Stop and start wls_forms and you should be good to go..

停止并启动 wls_forms，你应该很高兴去..

importing the GoDaddy bundle solves the problem:

导入 GoDaddy 包解决了这个问题：

export JAVA_HOME=/usr/lib/jvm/java-8-oracle/
wget https://certs.godaddy.com/repository/gd_bundle-g2.crt
$JAVA_HOME/bin/keytool -import -alias root -file ./gd_bundle-g2.crt -storepass changeit -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts