Jar Signing

[Matt Venables]

I'm testing code for a friend and am running into several issues. Any
help would be greatly appreciated (I have gMail invites to offer if
that would help).

OK, here's the deal:

I've been given a bunch of source file which I've compiled into a JAR.
It uses the JCE and therefore needs to be signed. My friend gave me
two certificates, one a .cer and one a .crt file. Both have Owner and
Issuer name as JCE Code Signing CA.

All seems fine so far. The I added the one certificate with "root" in
the name (the .cer file) to the cacerts in my jre lib/security folder.
The other, I've added to my keystore. The problem is that when I
attempt to sign the JARs, I get an error stating "<alias> must
reference a valid KeyStore key entry containing a private key and
correspoinding public key certifiate chain." Any ideas on this?

With this, I decided to make my own keys and sign them myself for
testing purposes. I signed the JARs fine but the JCE returns the
following error during run-time:
"java.security.NoSuchProviderException: JCE cannot authenticate the
provider <name>" ... "Caused by: java.util.jar.JarException: <filename>
is not signed by a trusted signer." Yet I did add my certificate to the
trusted certs (the cacerts file).

If anyone can help, I would really appreciate the help, and as I said,
I have gmail invites to offer.

Thanks,
-Matt

 

[mattvenables]

Oh, also, I am using J2SDK1.4.2_08 if that helps

 

[Aidan]

Did you sign the jar containing the Provider code, or only your own
jar? I've read that signed a JAR multiple times can cause problems, but
this is kind of a stab in the dark in your case.

 

[Aidan]

Did you sign the jar containing the Provider code, or only your own
jar? I've read that signing a JAR multiple times can cause problems,
but this is kind of a stab in the dark in your case.

 

[Pete Barrett]

I'm testing code for a friend and am running into several issues. Any
help would be greatly appreciated (I have gMail invites to offer if
that would help).

OK, here's the deal:

I've been given a bunch of source file which I've compiled into a JAR.
It uses the JCE and therefore needs to be signed. My friend gave me
two certificates, one a .cer and one a .crt file. Both have Owner and
Issuer name as JCE Code Signing CA.

All seems fine so far. The I added the one certificate with "root" in
the name (the .cer file) to the cacerts in my jre lib/security folder.
The other, I've added to my keystore. The problem is that when I
attempt to sign the JARs, I get an error stating "<alias> must
reference a valid KeyStore key entry containing a private key and
correspoinding public key certifiate chain." Any ideas on this?

You need to sign it with your own certficate, not someone else's that
you've imported into the keystore. The normal way (ie. what's in the
documentation) is to generate your own public/private key pair, then
use that to generate a certificate request, then send that certificate
request to the Certification Authority, then import the certificate
they send you back (which corresponds to your own public/private key
pair which is in the keystore). If I understand what you say, what
you've done is to import a certificate which corresponds to someone
else's (your friend's, I would guess) public/private key pair, and try
to sign the jars with that. Put like that, it's clear that it won't
work.

With this, I decided to make my own keys and sign them myself for
testing purposes.

This is more like it. When you generate your own key pair, you
automatically generate a self-signed certificate corresponding, which
can be used to sign code. (That's what the documentation says, and I
can confirm that it works that way for me.)

I signed the JARs fine but the JCE returns the
following error during run-time:
"java.security.NoSuchProviderException: JCE cannot authenticate the
provider <name>" ... "Caused by: java.util.jar.JarException: <filename>
is not signed by a trusted signer." Yet I did add my certificate to the
trusted certs (the cacerts file).

Unfortunately, I don't know how the JCE handles these things, so can't
help you here.


Pete Barrett