jarsigner -verify works in Java 6 but not Java 7

Question

I've been banging my head against this for a few days and am completely stumped. Here's the rundown:

1. I've got an Eclipse plugin project using Tycho to build via Maven 3
2. Within Maven I've got the maven-jarsigner-plugin set up to sign jars using my keystore (see below for keystore details)
3. I've got a code signing cert that's been signed by Thawte in my keystore

I can take any signed jar file from target/* and run 'jarsigner -verify' on it. This is what happens:

#java 6 on a VM
vagrant@test2:/vagrant/com.example.plugins.eclipse/target$ jarsigner -verify com.example.eclipse-0.1.3-SNAPSHOT.jar
jar verified.

Next:

#java 7 on a completely different vm
vagrant@test1:/vagrant$ jarsigner -verify com.example.eclipse-0.1.3-SNAPSHOT.jar
jar verified.

Warning:
This jar contains entries whose certificate chain is not validated.

Re-run with the -verbose and -certs options for more details.

I've take care not to use a machine with both Java6 and Java7 installed, so it's not this issue

I also don't believe it's algorithm based, as described in this issue, since I can sign the project using either Java 6 or Java 7 and it always verifies in Java6 and never verifies in Java7, regardless of which environment I signed the jars with.

Here's the output of keytool -list

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

root, Aug 11, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81
intermediate, Aug 11, 2013, trustedCertEntry,

I have to believe that this is a certificate chain issue because I am able to verify the jar using the following command on Java 7:

jarsigner -verify -keystore keystore com.example.eclipse-0.1.3-SNAPSHOT.jar

Obviously I can't have every user of my plugin using my keystore file, so that's not a solution. It does however, reinforce that I have a cert chain issue in Java 7. Thoughts?

Answer 1

Months later I happened to figure out the answer to my own question. For anyone else with the same issue, here is what I did:

1. Convert your existing private key and the CA signed cert into a pkcs12 format (this is required since Java's keytool doesn't allow the direct importation of these items). This can be accomplished in a single openssl command:

   openssl pkcs12 -export -name signing -in signing.cert -inkey myPrivateKey.key -out keystore.p12
   

   Where signing is the name of my pkcs12 keystore, signing.cert is my CA supplied signed cert, and (obviously) myPrivateKey.key is my private key that was used to sign the Cert Request.

2. Import this newly created keystore into a Java keystore:

   keytool -importkeystore -destkeystore keystore -srckeystore keystore.p12 -srcstoretype pkcs12 -alias signing
   

3. Import your CA's Java cert into the keystore. I'm not exactly sure what magic this does but without it the cert chain isn't followed (even when manually adding intermediate certs). This cert is usually provided via the email where your signing cert arrived in. For our purposes it's called signing.pkcs7.

   keytool -importcert -file signing.pkcs7 -keystore keystore -v -alias signing
   

   You'll have to enter the keystore password you used when creating the Java keystore.

4. Use the maven-jarsigner-plugin (or whatever automation is required) to sign your projects during build.

Answer 2

The answer to your problem is you are using SUN as your keystore provider java 6 was released prior to oracle purchasing SUN and java 7 was released after and many of the Sun packages are now deprecated. You can verify this here.

Oracle has kept support for the deprecated SUN keystore provider but now requires that a warning be issued same as if you had used any deprecated feature.

There is a long detailed description written by Oracle on why you shouldn't use the SUN provider for security signing in the JCA Documentation on their website.

The only thing that will "fix" this is to change your keystore provider to and oracle acceptable one, you can find them in the same security documentation linked to above.

Hope that helps.

Answer 3

It does work. You get "jar verified" in both cases => the JAR is verified in both cases. That means that the JAR was signed by who it claims to be signed by, and that the JAR hasn't been subsequently tampered with.

Java 7 is printing a warning.