Jarsigner: "This jar contains entries whose certificate chain is not validated."
Asked Answered
P

3

7

I get the following error on a self-signed jar:

jar verified.

Warning:
This jar contains entries whose certificate chain is not validated.

Re-run with the -verbose and -certs options for more details.

I signed the jar like this:

"C:\Program Files\Java\jdk1.7.0\bin\jarsigner" -keystore myKeyStore myJar.jar myAlias

My jar has 2 entry points: One for java web start, and one for an applet.

  • If I run the jar in a java web start way, it has no incidence.
  • But if I run the jar as an applet. I get a strong security warning at some point when I try to access a bitmap resource embeded in the jar.

Using the -verbose and -certs options shows a lot of lines. And I don't understand anything of this. This is the output: output.txt (part of the 6307 lines reproduced below).

s     157850 Tue Nov 08 12:57:44 CET 2011 META-INF/MANIFEST.MF

      X.509, O=keyja.com
      [certificate is valid from 17/08/11 17:32 to 24/07/11 17:32]
      [CertPath not validated: null]

      112909 Tue Nov 08 12:57:44 CET 2011 META-INF/KEYJA_CO.SF
        1108 Tue Nov 08 12:57:44 CET 2011 META-INF/KEYJA_CO.RSA
sm       180 Tue Nov 08 12:16:40 CET 2011 com/keyja/client/a/a/a/k.class

      X.509, O=keyja.com
      [certificate is valid from 17/08/11 17:32 to 24/07/11 17:32]
      [CertPath not validated: null]

sm       252 Tue Nov 08 12:16:40 CET 2011 com/keyja/client/a/a/a/r.class
...
(around 6000 lines of other output along the same lines)

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Warning: 
This jar contains entries whose certificate chain is not validated.

How to sign the jar file ?

Platinotype answered 8/11, 2011 at 11:25 Comment(5)
It makes sense. I included a link to the output.Platinotype
"If I run the jar in a java web start way, it has no incidence." What level of security permissions does the JWS launch request?Grettagreuze
If the applet runs sand-boxed as well, why sign the code at all?Grettagreuze
because the applet doesn't work if i don't sign it. it should but it doesn't, for a reason I ignore.Platinotype
let us continue this discussion in chatGrettagreuze
P
1

Thanks Andrew Thompson. I have unsigned my jar file, and found the bug. It's better unsigned you're right about this, because signing makes no point since I don't need to get out of the sandbox.

For the record, the bug was the use of the jnlp.jar library. In order to make it work, I launched the applet using jnlp/applet code instead of a standard tag.

Platinotype answered 9/11, 2011 at 12:56 Comment(2)
so how did you fix it? a little bit more detail pleaseHardshell
I launched the applet using jnlp/applet code instead of a standard html applet tag. docs.oracle.com/javase/tutorial/deployment/deploymentInDepth/…Platinotype
K
1

Just one line answers you question I guess. And if you look closer you'll see it. Here it is


[certificate is valid from 17/08/11 17:32 to 24/07/11 17:32]

As I may hope, you know that today is not July 24 so you just have to re-sign your app

Kevyn answered 8/11, 2011 at 17:52 Comment(4)
If the certificate is no longer valid, then he will have to recreate the certificate to extend the valid time period.Xerosis
No, it's 24/07/2111, and it's valid.Platinotype
I am just wondering... Is it valid from 17/08/2111 17:32 to 24/07/2111 17:32 ?Kevyn
Could you provide the key and the cert validation dates?Kevyn
P
1

Thanks Andrew Thompson. I have unsigned my jar file, and found the bug. It's better unsigned you're right about this, because signing makes no point since I don't need to get out of the sandbox.

For the record, the bug was the use of the jnlp.jar library. In order to make it work, I launched the applet using jnlp/applet code instead of a standard tag.

Platinotype answered 9/11, 2011 at 12:56 Comment(2)
so how did you fix it? a little bit more detail pleaseHardshell
I launched the applet using jnlp/applet code instead of a standard html applet tag. docs.oracle.com/javase/tutorial/deployment/deploymentInDepth/…Platinotype
D
0

I have exactly the same problem.

There is a change in the validation in the new Java 7 and Java 6 versions. Bug id is : 6861062 java classes_security Disable MD2 in certificate chain validation.

When signing the Jara file , I had some warning message and when executing the command: jarsigner MyTools.jar -verify -verbose -certs

I had the message: X.509, OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US [certificate is valid from 29.01.96 01:00 to 02.08.28 01:59] [CertPath not validated: Algorithm constraints check failed: MD2withRSA]

My solution is : - use another version of the JDK to sign and JRE Plugin. - Update your certificate security in order not to use this algorithm.

I hope it will help you.

Regards

Dancette answered 13/9, 2013 at 8:40 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.