Jar signing returns "jar is unsigned"

Similar Messages

• Issue while signing a jar using RSA certificate

  Hi,
  I am trying to sign a java applet using trusted certificate with the help of Java keytool and jarsigner of JRE1.6. For this I have followed the following steps:
  1.Generated key pair in a keystore - keytool -genkeypair -keyalg RSA -alias eaikey -keystore eaikeystore  -validity 3650 -keysize 2048
  2.Generated CSR using command keytool -certreq -alias eaikey -file eaicert.csr -keystore eaikeystore and send the .csr file to the CA
  3.CA has returned the certificate reply (.cer file)that contained a root certificate
  4.When I tried to import the certificate using command keytool -import -file eaicert.cer -alias eaicertkey  -keystore eaikeystore to keystore, initially it gave me error as Input not an X.509 certificate.So I opened the .cer file in my text editor and removed the texts before the Begin And End Certificate.Then it got imported correctly by running the
  5.When I tried to sign the jar using command  jarsigner application.jar eaicertkey  -keystore eaikeystore
  it gave the exception as jarsigner: Certificate chain not found for: eaicertkey.  eaicertkey must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
  Please help me with the step I am missing here.I doubt I am doing something wrong in the import step.
  Thanks in advance.

  you can mail me directly to [email protected], and I'll try to help.
  no guarenty :-)
  Tal
  [email protected]

• Jar Signing // Missing Digest entries

  I have a signed jar's manifest file which does not contain all of the classes ( digest entries) archived in the jar. Shouldn't this be one to one -jar classes to digest entries? Is there a reason why some classes are omitted, whereby others are included? I receive a NoClassDefFoundError when the applet loads when attempting to run a static method from a class which does not have a digest entry. The class throwing the exception is in the same jar as the applet, yet in a different package. Version: 1.6.0_15.
  Edited by: rapunzel on Feb 20, 2010 4:46 AM

  I just tried again, here my result, so you can see if something is wrong or missing:
  1 - C:\Sun\SDK\jdk\bin>keytool -genkey -v -keyalg dsa -alias MYALIAS -keypass mypass -keystore MYKEYSTORE -storepass mykeystorepass
  What is your first and last name?
  [Unknown]: MYNAME
  What is the name of your organizational unit?
  [Unknown]: SCCM
  What is the name of your organization?
  [Unknown]: MYCOMPANY
  What is the name of your City or Locality?
  [Unknown]: LISBON
  What is the name of your State or Province?
  [Unknown]: LISBON
  What is the two-letter country code for this unit?
  [Unknown]: LX
  Is CN=NOESIS, OU=SCCM, O=NOESIS, L=LISBON, ST=LISBON, C=LX correct?
  [no]: YES
  Generating 1.024 bit DSA key pair and self-signed certificate (SHA1withDSA) with
  a validity of 90 days
  for: CN=NOESIS, OU=SCCM, O=NOESIS, L=LISBON, ST=LISBON, C=LX
  [Storing MYKEYSTORE]
  2 - C:\Sun\SDK\jdk\bin>jarsigner -keystore MYKEYSTORE -storepass mykeystorepass -key pass mypass GID.jar MYALIAS
  Warning:
  The signer certificate will expire within six months.
  3 - C:\Sun\SDK\jdk\bin>jarsigner -verify GID.jar
  jar is unsigned. (signatures missing or not parsable)
  So, as you can see, this really is not working for me :s
  I've tried different approaches, an none worked, why can't i sign a .jar file??..this is really weird, i thought creating an applet to access and manipulate a database wouldn't be so dificult..
  I guess i was wrong..

• Resources could not be signed: sapj2eeclient.jar

  I have a XI3.0 system on SP13. As usual after applying support packages my sapj2eeclient.jar disapears. I copy it to the relevant directory and repository directories, redeploy SAPJ2EECLIENT.SDA and choose "Re-initialization and force signing" from the Java web start administration. This has worked on our other systems. Bot not anymore! If I try to start Integration builder I get this error message: "Unsigned application requesting unrestricted access to system"
  And when I check the initialization status I get this error: "Resources could not be signed:
  sapj2eeclient.jar"
  The <sid>adm user has access to the sapj2eeclient.jar file.
  Help!

  Hi,
  There is a possibility to resign the client.
  Go to the URL http://XIMACHINE:50x00/rep/start/index.htm and click on the administration link.
  Then you will see 3 tabs on the left part of the screen:
  repository
  directory
  runtime workbench.
  For both the repository and the directory you need to go to the link for "java webstart adminstration".
  In the java webstart administration screen there is a possibilty to re-initialize and resign the client.
  Best regards,
  Alwin

• Simplest way to sign a JAR?

  I made an applet using Eclipse that pulls information from a website while running. Apparently this needs to be signed before it works online -- what is the quickest, easiest way to sign it?
  I'm one of the few people who are going to be using this applet, and I have basically no knowledge about JARs. I read the tutorial here but it didn't help me at all, as I don't have a "keystore" on my computer and I don't even know where to type any of that ("that" being jarsigner -keystore mykeys -storepass abc123 -keypass mypass app.jar johndoe).
  I tried to run the unsigned JAR using Firefox (+<applet code="MU.class" archive="MU.jar" width=300 height=400>+). The applet didn't even initiate, it simply turned into a white box saying Error. Click for details -- clicking it brought up a Java Console starting with this line: java.security.AccessControlException: access denied (java.net.SocketPermission www.forsaken-mu.com:80 connect,resolve).

  coopkev2 wrote:
  ejp wrote:
  I don't have a "keystore" on my computerSee the Javadoc for the 'keytool' tool.The link for the "Keytool reference page for Windows" here redirects here which is of no use to me that I can see. Did I click the wrong link, or is it just out of date?Those are pointing to the 1.2 JavaDocs. I have always wished Sun would establish an URL for the current API and tool documentation. As the new JRE major versions are released for public use, the docs should change accordingly.
  Try instead [http://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html].
  Out of curiosity. How did you get that URL?
  As to your more general question of "Simplest way to sign a JAR?". I would answer that "Load a project (that signs code) with a build.xml into your IDE and call the main task."
  But there are some caveats to that advice.
  1) There are very few people on these forums willing to help with IDEs, so it is up to you to figure out how to import/build the ant based project, or take it to a forum for the IDE.
  2) Understanding what the build file is doing, depends on understanding the underlying tools it calls. Most of those tools come directly from the JDK.
  Having said that, I do have some open source projects that digitally sign code. For example the [demo. of the JNLP API file service|http://pscode.org/jws/api.html#fs] with the source files available in [http://pscode.org/jws/filetest.zip]. Maybe you can get a head start by looking that over (and building it, and changing it etc.).

• Webstart : sign a jar file

  I have a desktop app that has to access local data files as well as network database server. At the moment, I have a executable jar file now when I try to run it with Webstart it complains about unsigned jar file asking for full access on a file. what do i need to sign a jar file. the jar file as is will work when someone double clicks the file icon but if the computer is not set up for java to open jar files, most likely if you have winzip , it will open the jar file. So other than the sdk what else do i need
  Thanks in advance

  thanks that was helpfull , but, I found a page on the suns web page which i found using another serch engine . I couldnt find it by searching this website.
  I apprectiat you taking the time, thanks

• JCE KeyGenerator issue (or JAR signing)

  I have a function add a JCE provider for an AES algorithm, but the JCE fails every time I attempt to launch it.
  Provider jceProvider = new com.x.jce.provider.JCEProvider;
  Security.addProvider (jceProvider);
  Provider [] currentProviders = Security.getProviders();
  // ... code to print the array removed
  SecureRandom rand = SecureRandom.getInstance("SHA1PRNG", "JceProvider");
  //psuedo random number generator
  KeyGenerator aesKeyGen = KeyGenerator.getInstance("AES","JceProvider");
  The SecureRandom getInstance function works fine, but the KeyGenerator getInstance function fails with the following error:
  [java] java.security.NoSuchProviderException: JCE cannot authenticate the provider JceProvider
  [java] at javax.crypto.SunJCE_b.a(DashoA6275)
  [java] at javax.crypto.SunJCE_b.a(DashoA6275)
  [java] at javax.crypto.KeyGenerator.getInstance(DashoA6275)
  [java] at com.x.jce.AES.go(Unknown Source)
  [java] at com.x.jce.AES.main(Unknown Source)
  [java] Caused by: java.util.jar.JarException: file:/jceProvider.jar is not signed by a trusted signer.
  [java] at javax.crypto.SunJCE_d.b(DashoA6275)
  [java] at javax.crypto.SunJCE_d.a(DashoA6275)
  [java] at javax.crypto.SunJCE_d.a(DashoA6275)
  [java] at javax.crypto.SunJCE_b.b(DashoA6275)
  [java] ... 5 more
  Any ideas why the KeyGenerator would fail but the SecureRandom (which looks for the same exact provider) fails? I've attempted to sign the jars with self-signed certificates. Verifying the signatures always returns true. I am completely stumped.
  -matt

  As you might have noticed it is a matter of authentication of the provider by JCE.
  The point is, JCE does not do the authentication for providers with implementations of cryptographic services defined in both J2SE and JCE 1.2.2 (including your SecureRandom provider) but for those cryptographic services related to JCE 1.2.2 only; that check itself will first be done during the instantiation of an implementation of such a service (Your AES keygenerator included).
  In order to read more about it:
  http://java.sun.com/products/jce/doc/guide/HowToImplAProvider.html#JCEAuth
  To see how to get a SUN certificate if you need one you should check:
  http://java.sun.com/products/jce/doc/guide/HowToImplAProvider.html#Step%205a

• Digitally sign a jar file for distribution?

  I recently got a jar of mine hosted for client use though a web page.
  The problem is that the jar needs to access the internet for several functions. JWS prompts the user for security reasons every time it makes a connection to a new url endpoint. Since one operation alone can hit 56 url's i thought this could be a bit of a hassle to the users.
  The solution, as I understand it to be, is to digitally sign the jar file, so the user is prompted once on download.
  I found a site ascertia which offers free certificates, but for the life of me I canb not get this to work.n I have seen keytool generate numerous errors, none of which mean anything to me. (too long >59, cant read chain from reply, invalid cert)
  Does someone know a clear and thorough tutorial on digital code signing and certs? Or a CA that provides certs for free, and has some instructions to go along?
  Thanks so much.
  The step i have trouble on is turning the CSR into a cert, and importing the returned cert back into the keystore.

  Masterkeedu wrote: !! It worked.
  Congratulations. :-)
  Masterkeedu wrote: So it's not certified, but is signed.
  So as I understand this, it means the end-user has no way to know it was me that truly signed it. But relies on their common sense I suppose.
  That is correct. The CA has verified, and is certifying, that you are who you claim to be. If you or I use a 'self signed' certificate, it does not carry the same level of trust. As you might understand already, the dialogs are different between the two certificate types, and some users cannot accept trusted code from an unverified (self-signed) certificate.
  I have been meaning to write a page on the differences between the two certificates. It is well worth looking into getting a cert. from a CA.
  There was a stage when one of the major CAs were offering 'freemail' certificates that came emblazoned not with your name, but 'free mail' itself. I did not like them because of that, and continue to use a self-signed certificate.

• Problems Signing a Jar File.

  Hi Everyone
  I'm having problems signing a jar file.
  The applet in the jar file was previously signed by Duke.
  Now I want to re-sign it with my company name.
  So I unzip the jar file. I was careful to remove the manifest and the Duke .sa and .rsa. I re-signed it with the netscape signtool.
  The applet works. It presents the prompt that it is signed by my company. I grant session. Then another prompt appears and it says it is signed by duke.
  but i was careful to remove the duke signature and manifest file when i unzipped it. Is it possible that the fact that it is signed by duke is stored in the bytecode ??
  It is using the <object tag by the way.
  <OBJECT classid="clsid:CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA"
       WIDTH = "100%" HEIGHT = "50" border="0"
       codebase="http://www.homework911.com/java/j2re-1_3_1_02-win.exe#Version=1,3,1,2">
       <PARAM NAME = "CODE" VALUE = "com.s.SApplet"/>
       <PARAM NAME = "CODEBASE" VALUE = "/_phone"/>
       <PARAM NAME = "type" VALUE="application/x-java-applet;version=1.3"/>
  stev

  great suggestion - there are no other signed jar files on the browser for it to access. There is a winzip file but it has no rsa/dsa and signature file in it.
  perhaps it is accessing something else that was signed by duke ?
  Would it be possible for it to connect to a server program that was signed by duke and therefore present the prompt. ?
  I'm trying to get the original unsigned classes and see if i can recompile and sign it just in case then name duke is in byte code.
  any other thoughts as to what this code be ?
  stephen

• Jars signed with revoked certificate

  Hello,
  I have a situation here where i have jars and wars which were signed using jarsigner. The certificate used to sign the jars is now revoked.
  When java runtime loads these jars, it does not throw any errors/exceptions. Is it the right behavior ?
  Is there any way by which I can configure java runtime to contact the CRL and to throw an error while the jar is loaded. The certificate has information
  about CRL distribution point and also has authorityinfo access details. I tried configuring OCSP in java.security file. But still no luck.
  Any information on this will be helpful.
  Thanks in advance

  Hello EJP,
  Thanks for replying.
  Yes the certificate was valid when the jar was signed. Please note that, there was no timestamp put in the signature.
  So now after the certificate has been revoked, if Java runtime tries to load that jar, isn't it the responsibility of Java runtime to make use of the CRL/OCSP information
  of the public key certificate (present in the jar put by the jarsigner when signing) and validate it for revocation ? (Also, in this scenario, what happens if OCSP is enabled in java.security ?) -OR--- Is it the responsibility of the code that makes use of the jar, to verify whether the certificate used for jar signing has been revoked or not ?
  PS:- I have enabled the security settings in java control panel for certificate revocation checking.
  Please let me know if I am wrong or if I am missing something.
  Also i noticed something with jarsigner. In a signed jar, If i delete a few files and then verify its signature using jarsigner, "jar verified" is returned as result. Isn't the jar tampered when I delete a few files from it ? and hence the Hash of its data changes ? and hence verification should fail ?
  One more question, in case of signed applets, if the certificate is revoked, as soon as the browser tries loading the applet, it throws an error saying certificate that was used for signing has been revoked. (provided browser settings and java control panel settings are all properly set). Is this check initiated by the browser OR Java runtime ?
  Thanks a lot

• WebUtil Jar signing error

  Can anyone help me with this error:
  keytool error: java.lang.Exception: Key pair not generated, alias <####> already exists

  Check whether there is a file named ".keystore". If yes, delete this file and again try to sign the jar file.
  Hope it helps u...

• It's urgent : Signing the JAR

  In my application there is a applet which tries to open a socket connection on client machine.
  And as per JAVA specification it throws a security exception.
  Which is absolutely right.
  But I want to test this application.
  Is there any utility or temporary signing clause which allows me to test the above thing with some limitations like u must have server and client (browser) running on same machine or anything.
  Regards,
  Sachin.

  if you want to test it temporarily, sign the jar and install its certificate on your local machine and feel free to test the Applet. When finished, you can uninstall the certificate. If you need help about Java security, refer to the Java Security tutorial 1.2 at the sun tutorials.
  Regards,
  Mohammed Saleem

• Signing a jar file

  Guys, I've googled the crap out of this one. I need some help signing a jar file.
  Here is what I'm doing:
  1. Generating a key:
  keytool -genkey -keystore myKeyStore -alias myName2. Trying to sign the jar file:
  jarsigner -keystore myKeyStore -storepass myPassword -keypass myNamePassword myJar.jar myNameHere is the error I'm getting:
  jarsigner error: java.lang.RuntimeException: keystore load: Invalid keystore formatI'm using Ubuntu Linux.
  I wrote and built my project with Netbeans.
  Any ideas?

  Here is what the latest process looks like. What am I doing wrong?
  thomasaaron@ubuntu:~/Desktop$ keytool -genkey -alias thomasaaron -keystore myKeyStore
  Enter key store password: password1
  Enter key password for <thomasaaron>: password2
  You are about to enter information that will be incorporated into
  your certificate request. This information is what is called a
  Distinguished Name or DN. There are quite a few fields but you
  can use supplied default values, displayed between brackets, by just
  hitting <Enter>, or blank the field by entering the <.> character
  before hitting <Enter>.
  Common Name (hostname, IP, or your name): Thomas Aaron
  Organization Name (company) [The Sample Company]: Tom's Company
  Organizational Unit Name (department, division): Tom's Department
  Locality Name (city, district) [Sydney]: TommyLand
  State or Province Name (full name) [NSW]: Colorado
  Country Name (2 letter code) [AU]: US
  thomasaaron@ubuntu:~/Desktop$
  thomasaaron@ubuntu:~/Desktop$
  thomasaaron@ubuntu:~/Desktop$ jarsigner -storepass password1 -keystore myKeyStore SupportManager.jar thomasaaron
  jarsigner error: java.lang.RuntimeException: keystore load: Invalid keystore format

• What is the next step after I signed my jar ?

  Hello,
  I've signed my jar.
  It works but still display before this message :
  "The application digital is invalid. Do you want to run the application"
  if I say OK, it works but I would like to avoid this "not very funny" message.
  I know I have something more to do and related to certificates but to be honest I'm a little bit lost...
  Any help are welcome. :o)
  Thanks in advance,
  Mangeur de foin

  Re,
  Just to add :
  I checked with : jarsigner -verbose -certs -verify myjar.jar and the answer is "jar verified".
  And I can access local directories once the jar is launched.
  Mangeur de foin

• How to sign multiple jar files using the same certificate..?

  hi,
  I want to run my application using Java Web Start.. i am using around 16 different jar files out of which around 13 are 3rd party component jars. I want to sign these jars using the same certifcate..., i am using the follwing code to sign the jars:
  (for the jar file ischeduler.jar)
  keytool -genkey -alias signFiles91 -keystore dtss -keypass dtss1351 -dname "cn=dtss" -storepass decisioncraft
  jarsigner -keystore dtss -storepass decisioncraft -keypass dtss1351 -signedjar signedischeduler.jar ischeduler.jar signFiles91
  keytool -export -keystore dtss -storepass decisioncraft -alias signFiles91 -file ischeduler.cer
  keytool -import -alias DCA2 -file ischeduler.cer -keystore Impischeduler -storepass ischeduler
  (for the jar file ischedulerclient.jar)
  keytool -genkey -alias signFiles92 -keystore dtss -keypass dtss1351 -dname "cn=dtss" -storepass decisioncraft
  jarsigner -keystore dtss -storepass decisioncraft -keypass dtss1351 -signedjar signedischedulerclient.jar ischedulerclient.jar signFiles92
  keytool -export -keystore dtss -storepass decisioncraft -alias signFiles92 -file ischeduler.cer
  keytool -import -alias DCA3 -file ischeduler.cer -keystore Impischeduler -storepass ischeduler
  but when i use the above signed jars in my application i get an error saying:
  "jars not signed by the same certificate"
  can someone plz tel me wher is the error....thanx
  andy

  Well for mulitple signing of jar files you can use ANT tool. Its easier and faster.
  Regarding the present problem -- hmm.. well it looks like you are using 2 different alias names for signing the jar file. Try using the same alias name and that might solve your problem.
  regards
  Saby