当我从命令行启动 Java 应用程序时,我可以防止数字签名警告吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3750274/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Can I prevent digital signature warning when I start a java application from command line?
提问by sorin
Is there any way to prevent the "The application's digital signature cannot be verified" warning message from appearing when you run a Java application from the command line?
当您从命令行运行 Java 应用程序时,有什么方法可以防止出现“无法验证应用程序的数字签名”警告消息?
I'm looking for a command line solutionthat would allow to start an application like this on a continuous integration server, so I need a solution that would not require manual intervention.
我正在寻找一个命令行解决方案,它允许在持续集成服务器上启动这样的应用程序,所以我需要一个不需要手动干预的解决方案。
Also, I would prefer not to disable this warning for anyapplication because this could be a security risk.
此外,我不希望对任何应用程序禁用此警告,因为这可能存在安全风险。
Not sure if helps but I do know the values of "name", "publisher" and "from" fields of the signature.
不确定是否有帮助,但我知道签名的“名称”、“发布者”和“来自”字段的值。
Just be sure, I'm not asking about how to sign this application.
请确定,我不是在问如何签署此应用程序。
update 1
更新 1
I suppose that the solution is to use keytoolto import the certificate from the command line but for some reason it does fail to import it properly because it does not appear in control panel applet after this and the application still requires it.
我想解决方案是用于keytool从命令行导入证书,但由于某种原因,它确实无法正确导入,因为此后它没有出现在控制面板小程序中,并且应用程序仍然需要它。
keytool -importcert -file my.cer -alias alf2 -storepass changeme -noprompt
keytool -importcert -file my.cer -alias alf2 -storepass changeme -noprompt
Is it something related to the the default keystore, how can I assure I'm importing into the right keystore?
是否与默认值有关keystore,我如何确保导入正确的密钥库?
update 2
更新 2
After lot of research on the net I made some progress, worked at least on Windows 7with Java 6: keytool -importcert -file my.cer -keystore "%USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs" -storepass "" -noprompt -v
很多在网络上我的研究取得了一定进展后,曾至少在Windows 7与Java 6:keytool -importcert -file my.cer -keystore "%USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\security\trusted.certs" -storepass "" -noprompt -v
I looks that Sun failed to specify in the documentation the real location of the default keystore and the fact that the default password is blank.
我看起来 Sun 未能在文档中指定默认密钥库的真实位置以及默认密码为空的事实。
But this is not the end, because when this run on the automation user account it failed, it failed because this user did not had an keystore yet and because the command line tool keytoolis not able to create a keystore with an empty password, requesting at least 6 characters. see Sun's forum tread...
但这还不是结束,因为当在自动化用户帐户上运行它失败时,它失败了,因为该用户还没有密钥库,并且命令行工具keytool无法使用空密码创建密钥库,请求在至少 6 个字符。看到Sun的论坛踩...
回答by Stephen C
There are two approaches:
有两种方法:
Get the supplier of the software to reissue it with a proper signature. The "More Information" link should tell you whythe signature cannot be verified, but the most likely causes are that the signature was created using a self-signed CA certificate, or a certificate that has since expired. (If the supplier won't help, you may be able to resign the JAR file with your own certificate.)
Add the relevant signing certificate to the JVM's certificate store as a "trusted certificate". Unfortunately, you'll need to do this for every JVM on every machine that needs to run the application.
让软件的供应商重新发行带有正确签名的软件。“更多信息”链接应该会告诉您为什么无法验证签名,但最可能的原因是签名是使用自签名 CA 证书或已过期的证书创建的。(如果供应商不提供帮助,您可以使用自己的证书重新签署 JAR 文件。)
将相关签名证书作为“可信证书”添加到 JVM 的证书存储中。不幸的是,您需要为需要运行应用程序的每台机器上的每个 JVM 执行此操作。
回答by Johnbabu Koppolu
It would be a serious compromise on user security/privacy if unsigned applications are allowed to run without user's consent.
如果未经用户同意就允许运行未签名的应用程序,这将严重损害用户安全/隐私。
The answer is 'NO', unless you get your app signed or the user manually adds the publisher to the 'trusted' lists.
答案是“否”,除非您对应用进行签名或用户手动将发布者添加到“受信任”列表中。
More here
更多在这里
回答by PTT
trusted.certs file is user (profile) based. Using keytool it is also possible to add trusted root CA to "cacert" file, where are default trusted CA for java stored. cacert file location on XP (depends on Java version): C:\Program Files\Java\jre6\lib\security
trust.certs 文件基于用户(配置文件)。使用 keytool 还可以将受信任的根 CA 添加到“cacert”文件中,其中存储了 java 的默认受信任 CA。XP 上的 cacert 文件位置(取决于 Java 版本):C:\Program Files\Java\jre6\lib\security
More details here:
更多细节在这里:
default password is: changeit
默认密码为:changeit
回答by Niekam
I think you should create file for example mypolicy.policy in java.home/lib/security with grant all permisions to code signed by you and add this file to java.security (ex. under line where is java.policy path) this warning window will never prompt again
我认为您应该在 java.home/lib/security 中创建文件,例如 mypolicy.policy 并授予您签名的代码的所有权限,并将此文件添加到 java.security(例如,在 java.policy 路径所在的行下)此警告窗口永远不会再次提示
回答by Giors
Don't know whether it is still actually Windows XP keytool asks for password if cert store actally not exist, so you should create manually or copy store from somewhere before importing certificates. User store was without password.
如果证书存储实际上不存在,不知道它是否仍然是 Windows XP keytool 要求输入密码,因此您应该在导入证书之前手动创建或从某处复制存储。用户存储没有密码。
