签名的 JAR 被 Java 安全阻止
Signed JAR being blocked by Java Security
我绞尽脑汁想知道为什么当我使用以前使用过的代码签名证书对我的 JAR 进行签名时,我仍然得到一个 Java 安全应用程序被阻止的对话框,其中规定我的应用程序是自签名的:
但是,当我 运行 来自我未用于对应用程序签名的机器的 jarsigner 验证命令时(为了匿名,将实际公司名称替换为 Acme):
jarsigner -verify -certs -verbose RegistrySafeLauncher.jar
s 821 Wed Oct 21 09:25:42 BST 2015 META-INF/MANIFEST.MF
X.509, CN="Acme Software, Inc.", OU=Acme Software Corp, OU=Digital ID Class 3 - Java Object Signing, O="Acme Software, Inc.", L=Sunnyvale, ST=California, C=US
[certificate is valid from 11/5/13 12:00 AM to 11/4/16 11:59 PM]
X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 2/8/10 12:00 AM to 2/7/20 11:59 PM]
X.509, CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 11/8/06 12:00 AM to 11/7/21 11:59 PM]
X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
[certificate is valid from 1/29/96 12:00 AM to 8/3/28 12:59 AM]
561 Wed Oct 21 09:25:42 BST 2015 META-INF/MYKEY.SF
5345 Wed Oct 21 09:25:42 BST 2015 META-INF/MYKEY.RSA
0 Wed Oct 21 09:25:44 BST 2015 META-INF/
0 Wed Oct 21 09:25:44 BST 2015 registrysafelauncher/
sm 1067 Wed Oct 21 09:25:42 BST 2015 META-INF/INDEX.LIST
X.509, CN="Acme Software, Inc.", OU=Acme Software Corp, OU=Digital ID Class 3 - Java Object Signing, O="Acme Software, Inc.", L=Sunnyvale, ST=California, C=US
[certificate is valid from 11/5/13 12:00 AM to 11/4/16 11:59 PM]
X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 2/8/10 12:00 AM to 2/7/20 11:59 PM]
X.509, CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 11/8/06 12:00 AM to 11/7/21 11:59 PM]
X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
[certificate is valid from 1/29/96 12:00 AM to 8/3/28 12:59 AM]
sm 1441 Wed Oct 21 09:25:44 BST 2015 registrysafelauncher/RegistrySafeLauncher.class
X.509, CN="Acme Software, Inc.", OU=Acme Software Corp, OU=Digital ID Class 3 - Java Object Signing, O="Acme Software, Inc.", L=Sunnyvale, ST=California, C=US
[certificate is valid from 11/5/13 12:00 AM to 11/4/16 11:59 PM]
X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 2/8/10 12:00 AM to 2/7/20 11:59 PM]
X.509, CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 11/8/06 12:00 AM to 11/7/21 11:59 PM]
X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
[certificate is valid from 1/29/96 12:00 AM to 8/3/28 12:59 AM]
sm 1765 Wed Oct 21 09:25:44 BST 2015 registrysafelauncher/RegistrySafeLauncher.class
X.509, CN="Acme Software, Inc.", OU=Acme Software Corp, OU=Digital ID Class 3 - Java Object Signing, O="Acme Software, Inc.", L=Sunnyvale, ST=California, C=US
[certificate is valid from 11/5/13 12:00 AM to 11/4/16 11:59 PM]
X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 2/8/10 12:00 AM to 2/7/20 11:59 PM]
X.509, CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 11/8/06 12:00 AM to 11/7/21 11:59 PM]
X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
[certificate is valid from 1/29/96 12:00 AM to 8/3/28 12:59 AM]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
Warning:
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-11-04) or after any future revocation date.
构建的 JAR 中的清单文件如下所示:
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.9.4
X-COMMENT: Main-Class will be added automatically by build
Application-Library-Allowable-Codebase: *.acme.net http://localhost*
Application-Name: RegistrySafeLauncher
Class-Path: lib/jna-4.2.0.jar lib/jna-platform-4.2.0.jar
Permissions: all-permissions
Created-By: 1.7.0_80-b15 (Oracle Corporation)
Caller-Allowable-Codebase: *.acme.net http://localhost*
Main-Class: registrysafelauncher.RegistrySafeLauncher
Codebase: *
Name: registrysafelauncher/RegistrySafeLauncher.class
SHA-256-Digest: lA2UH1iNCFqmNeXTlD/5Gik+DGfkA64F34T3i6ArSEM=
Name: registrysafelauncher/RegistrySafeLauncher.class
SHA-256-Digest: kNyCx9f9FwWHAV/Mf4D+9KIJJfFHdcrTUNnEdiXwWmw=
Name: META-INF/INDEX.LIST
SHA-256-Digest: 7A/Nhqqvf7wBQNaAj0actnzwuWocUJv6R8/+QZyURmw=
我错过了什么?我的清单文件中是否遗漏了某些内容,或者 CA (VeriSign) 的 link 在我正在构建的机器上不正确?
****** 稍后更新:******
修改我的 jnlp 文件后,它看起来像这样:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<jnlp codebase="http://localhost/jnlptestcaller" href="launch.aspx" spec="1.0+">
<information>
<title>RegistrySafeLauncher</title>
<vendor>Acme Software, Inc.</vendor>
<homepage href=""/>
<description>RegistrySafeLauncher</description>
<description kind="short">RegistrySafeLauncher</description>
</information>
<update check="background"/>
<security>
<all-permissions/>
</security>
<resources>
<j2se version="1.7+"/>
<jar href="RegistrySafeLauncher.jar" main="true"/>
<jar href="lib/jna-4.2.0.jar"/>
<jar href="lib/jna-platform-4.2.0.jar"/>
</resources>
<application-desc main-class="registrysafelauncher.RegistrySafeLauncher">
<argument>JavaAgent.jnlp.aspx</argument>
</application-desc>
</jnlp>
我现在收到这个略有不同的安全警告:
我怎样才能摆脱这个警告?
As of Java 7 update 51 self-signed certificates will be blocked.
正如链接页面所讨论的那样,"properly implementing secure practices" 有很多资源:
虽然这不是通用解决方案(因为您不应该期望用户这样做),但为了快速修复:
you can use the Exception Site list feature to run the applications blocked by security settings. Adding the URL of the blocked application to the Exception Site list allows it to run with some warnings.
原来我的证书没问题。 Java 与 localhost 的表现不佳,因此我放入一个主机文件条目以将 localtest 指向 localhost 并且它从 localtest 运行 它工作(也可以使用我的 IP)。
我绞尽脑汁想知道为什么当我使用以前使用过的代码签名证书对我的 JAR 进行签名时,我仍然得到一个 Java 安全应用程序被阻止的对话框,其中规定我的应用程序是自签名的:
但是,当我 运行 来自我未用于对应用程序签名的机器的 jarsigner 验证命令时(为了匿名,将实际公司名称替换为 Acme):
jarsigner -verify -certs -verbose RegistrySafeLauncher.jar
s 821 Wed Oct 21 09:25:42 BST 2015 META-INF/MANIFEST.MF
X.509, CN="Acme Software, Inc.", OU=Acme Software Corp, OU=Digital ID Class 3 - Java Object Signing, O="Acme Software, Inc.", L=Sunnyvale, ST=California, C=US
[certificate is valid from 11/5/13 12:00 AM to 11/4/16 11:59 PM]
X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 2/8/10 12:00 AM to 2/7/20 11:59 PM]
X.509, CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 11/8/06 12:00 AM to 11/7/21 11:59 PM]
X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
[certificate is valid from 1/29/96 12:00 AM to 8/3/28 12:59 AM]
561 Wed Oct 21 09:25:42 BST 2015 META-INF/MYKEY.SF
5345 Wed Oct 21 09:25:42 BST 2015 META-INF/MYKEY.RSA
0 Wed Oct 21 09:25:44 BST 2015 META-INF/
0 Wed Oct 21 09:25:44 BST 2015 registrysafelauncher/
sm 1067 Wed Oct 21 09:25:42 BST 2015 META-INF/INDEX.LIST
X.509, CN="Acme Software, Inc.", OU=Acme Software Corp, OU=Digital ID Class 3 - Java Object Signing, O="Acme Software, Inc.", L=Sunnyvale, ST=California, C=US
[certificate is valid from 11/5/13 12:00 AM to 11/4/16 11:59 PM]
X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 2/8/10 12:00 AM to 2/7/20 11:59 PM]
X.509, CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 11/8/06 12:00 AM to 11/7/21 11:59 PM]
X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
[certificate is valid from 1/29/96 12:00 AM to 8/3/28 12:59 AM]
sm 1441 Wed Oct 21 09:25:44 BST 2015 registrysafelauncher/RegistrySafeLauncher.class
X.509, CN="Acme Software, Inc.", OU=Acme Software Corp, OU=Digital ID Class 3 - Java Object Signing, O="Acme Software, Inc.", L=Sunnyvale, ST=California, C=US
[certificate is valid from 11/5/13 12:00 AM to 11/4/16 11:59 PM]
X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 2/8/10 12:00 AM to 2/7/20 11:59 PM]
X.509, CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 11/8/06 12:00 AM to 11/7/21 11:59 PM]
X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
[certificate is valid from 1/29/96 12:00 AM to 8/3/28 12:59 AM]
sm 1765 Wed Oct 21 09:25:44 BST 2015 registrysafelauncher/RegistrySafeLauncher.class
X.509, CN="Acme Software, Inc.", OU=Acme Software Corp, OU=Digital ID Class 3 - Java Object Signing, O="Acme Software, Inc.", L=Sunnyvale, ST=California, C=US
[certificate is valid from 11/5/13 12:00 AM to 11/4/16 11:59 PM]
X.509, CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 2/8/10 12:00 AM to 2/7/20 11:59 PM]
X.509, CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
[certificate is valid from 11/8/06 12:00 AM to 11/7/21 11:59 PM]
X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
[certificate is valid from 1/29/96 12:00 AM to 8/3/28 12:59 AM]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
jar verified.
Warning:
This jar contains signatures that does not include a timestamp. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-11-04) or after any future revocation date.
构建的 JAR 中的清单文件如下所示:
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.9.4
X-COMMENT: Main-Class will be added automatically by build
Application-Library-Allowable-Codebase: *.acme.net http://localhost*
Application-Name: RegistrySafeLauncher
Class-Path: lib/jna-4.2.0.jar lib/jna-platform-4.2.0.jar
Permissions: all-permissions
Created-By: 1.7.0_80-b15 (Oracle Corporation)
Caller-Allowable-Codebase: *.acme.net http://localhost*
Main-Class: registrysafelauncher.RegistrySafeLauncher
Codebase: *
Name: registrysafelauncher/RegistrySafeLauncher.class
SHA-256-Digest: lA2UH1iNCFqmNeXTlD/5Gik+DGfkA64F34T3i6ArSEM=
Name: registrysafelauncher/RegistrySafeLauncher.class
SHA-256-Digest: kNyCx9f9FwWHAV/Mf4D+9KIJJfFHdcrTUNnEdiXwWmw=
Name: META-INF/INDEX.LIST
SHA-256-Digest: 7A/Nhqqvf7wBQNaAj0actnzwuWocUJv6R8/+QZyURmw=
我错过了什么?我的清单文件中是否遗漏了某些内容,或者 CA (VeriSign) 的 link 在我正在构建的机器上不正确?
****** 稍后更新:******
修改我的 jnlp 文件后,它看起来像这样:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<jnlp codebase="http://localhost/jnlptestcaller" href="launch.aspx" spec="1.0+">
<information>
<title>RegistrySafeLauncher</title>
<vendor>Acme Software, Inc.</vendor>
<homepage href=""/>
<description>RegistrySafeLauncher</description>
<description kind="short">RegistrySafeLauncher</description>
</information>
<update check="background"/>
<security>
<all-permissions/>
</security>
<resources>
<j2se version="1.7+"/>
<jar href="RegistrySafeLauncher.jar" main="true"/>
<jar href="lib/jna-4.2.0.jar"/>
<jar href="lib/jna-platform-4.2.0.jar"/>
</resources>
<application-desc main-class="registrysafelauncher.RegistrySafeLauncher">
<argument>JavaAgent.jnlp.aspx</argument>
</application-desc>
</jnlp>
我现在收到这个略有不同的安全警告:
我怎样才能摆脱这个警告?
As of Java 7 update 51 self-signed certificates will be blocked.
正如链接页面所讨论的那样,"properly implementing secure practices" 有很多资源:
虽然这不是通用解决方案(因为您不应该期望用户这样做),但为了快速修复:
you can use the Exception Site list feature to run the applications blocked by security settings. Adding the URL of the blocked application to the Exception Site list allows it to run with some warnings.
原来我的证书没问题。 Java 与 localhost 的表现不佳,因此我放入一个主机文件条目以将 localtest 指向 localhost 并且它从 localtest 运行 它工作(也可以使用我的 IP)。