問題描述
使用 .cer 文件對 .jar 文件進行簽名 (Signing .jar file with a .cer file)
I'm trying to sign a jar file with a code signing certificate issued by globalsign.
I'm completely new to this but after some googling and a lot of trial and error, I executed the following steps.
I've imported the certificate in my keystore using:
keytool ‑importcert ‑alias signalias ‑file OS200912023195.cer
When I try to sign my jar file using:
jarsigner applet.jar signalias
I get the following error:
jarsigner: Certificate chain not found for: signalias. signalias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
Did I forget something or lies the problem with the certificate?
‑‑‑‑‑
參考解法
方法 1:
...I'm wondering if I maybe need something more than just a cer file?...
<p>@Mark I guess you're right. As I can remember, the exception type like</p>
jarsigner: Certificate chain not found for: signalias. signalias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
... makes me think you trying to sign jar with cert only. So you must be skipped some important steps :|
The first thing you have to do if you want to use certificate is to gen CSR...
- A) gen keystore; then gen the public/private key in the keystore. Command like a
keytool ‑genkey ‑alias mydomain ‑keyalg RSA ‑keystore keystore.jks ‑keysize 2048
- B) then gen CSR ‑ for more information you can read this. Command like a
keytool ‑certreq ‑alias mydomain ‑keystore keystore.jks ‑file mydomain.csr
- C) for more detailed info about keytool common commands you can read this
if you are OK with OpenSSL then gen your own cert as follows step D...
- D) In the case you need to have a self‑signed certificate you can follow these steps...
...back to your keystore
- E) only after then you to import the cert to your keystore with command like
keytool ‑import ‑trustcacerts ‑alias root ‑file server.crt ‑keystore keystore.jks
- F) And only then you can use jarsigner tool to sign your jar
Comment if that helps
方法 2:
.cer
files never store private keys, and to sign a JAR
you need to have a private key in your keystore. So I guess, you need to find out where the private key of your certificate is, and add it to your keystore.
方法 3:
Could you please use the below command to verify the keystore for your imported certificate.
keytool ‑list ‑v ‑keystore your_keystore_name ‑alias your_alias
if the details are found to be correct, there seems to be an issue with the certificate provided. It is incomplete.
方法 4:
Hope this helps: Java tutorial ‑ Signing JAR Files
Also, check out the page referenced from the above tutorial
方法 5:
jarsigner: Certificate chain not found for: signalias. signalias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
I got that error when I created my Certificate Signing Request (CSR) using an openssl command instead of using keytool. The result is that when I generated my keystore, it didn't contain the private key, only the certificate that I had imported.
This post fixed my problem: Can a Java key store import a key pair generated by OpenSSL?
After creating the key and the certificate with OpenSSL, use OpenSSL to create a PKCS #12 key store:
openssl pkcs12 ‑export ‑in cert.pem ‑inkey key.pem > server.p12
Then convert this store into a Java key store:
keytool ‑importkeystore ‑srckeystore server.p12 ‑destkeystore server.jks ‑srcstoretype pkcs12
(by Mark、user592704、npe、Aditya Taneja、Atul、birkner)