Login/Register
This jar contains entries whose signer certificate will expire within six months
Asked Answered
Solved javasecurityappletcode-signing
S

1

7

I've signed my jar in various ways, but I keep getting the above error message when I use the command:

jarsigner -verify -verbose [my jar]

Is there a way to get rid of this error? Will my code just stop working after six months if it's not re-certified?

Here is the entire set of commands used to generate the key & sign the Jar:

keytool -genkey -keystore [keystore] -alias [alias] -validity 2000
keytool -selfcert -keystore [keystore] -alias [alias] -validity 2000
jarsigner -keystore [keystore] [jar] [alias]
Snowcap answered 1/5, 2012 at 22:32 Comment(0)
L
14

Is there a way to get rid of this error?

It is not an error, but a warning. As to how to avoid it, make sure the certificate has a validity date that is longer than 6 months. For a self-signed certificate, that is a matter of providing the correct parameters when generating the key. Here is the keytool Example.

keytool -genkeypair -dname "cn=Mark Jones, ou=Java, o=Oracle, c=US"
  -alias business -keypass <new password for private key> -keystore /working/mykeystore
  -storepass <new password for keystore> -validity 180

The important part is -validity 180. 180 days, or around 6 months, for that example. Use 1800 for around 5 years.

Will my code just stop working after six months if it's not re-certified?

Not exactly.

  • The user on some systems will be warned that the certificate has expired, and be offered the choice to accept it. If they do, it will work as normal. e.g. of "signature has expired":
  • Other systems might be configured to automatically reject out of date certificates. On those machines, the code will most likely never start, or in rare cases, be loaded but have a sand-box applied.

I thought I had turned all java caching off though, as it's annoying when trying to develop.

Applet caching during testing is a big problem. I try to avoid testing applets in the browser until absolutely necessary. There are 2 ways I know of to test applets that will not cache the classes.

  1. Use the AppletViewer
  2. An hybrid applet/application
Lysander answered 1/5, 2012 at 22:45 Comment(7)
Ok. Well, we have full control over the systems that this software will be deployed on, so it probably won't be an issue. However, I'd feel much better if I could just get rid of the warning in the first place. I was already using the validity argument, but it didn't seem to do anything. Here is exactly what I did to sign the jar: pastie.org/3846104Snowcap
Sorry, I don't often post on SO, and I didn't realize enter submits an edit/comment. I edited my post to fix that.Snowcap
More tips 1) Questions can be edited after they are posted. 2) Don't post links to information that is better edited into the question. 3) When you add input/output, HTML/XML or source in questions, use code formatting. 4) Comments can be deleted. -- 4) is relevant since I already followed the link, copied the text & edited the question to add the input commands (using code formatting).Lysander
Ok. Thanks for the tips. I'll make sure to keep those in mind. Anyways, I followed the example you gave me, and now I don't receive that warning. Thanks! But, what was the difference between the way you suggested and the way I was doing it? Weren't both ways specifying validity?Snowcap
It's a java applet, so I'm embedding it in a web page and launching it that way. I thought I had turned all java caching off though, as it's annoying when trying to develop.Snowcap
Oh, 'applet' right you are, and you mentioned that originally in the tags. :P See the edit.Lysander
Same problem here , but solved using -validity 1800Mabelmabelle

© 2022 - 2024 — McMap. All rights reserved.