Author is unknown for signed jar
https://stackoverflow.com/questions/10735617
-
10-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Signing jar in Java, I have followed these three step to sign
keytool -genkey -keystore myKeyStore -alias mekeytool -selfcert -keystore myKeyStore -alias mejarsigner -keystore myKeyStore jarfile.jar me
My questions are as follows :
- After that I have run my applet, why it shows author is unknown?
- I can able to give
-validityno of days for my jar, what is the maximum days I can give?
Solution
The certificate you have created is a self-signed one. Only certificates that has been signed by one of the trust centers marked as trusted in the Java settings are shown as "verified author".
The validity does not have anything to to how long your JAR file will work. The validity period only marks the time you can use the certificate (or better the private key that belongs to the certificate) for signing
OTHER TIPS
As noted in the keytool Validity Period,
Each certificate is valid only for a limited amount of time. This period is described by a start date and time and an end date and time, and can be as short as a few seconds or almost as long as a century.
As Both @Andrew and @Robert note, professional software requires a professionally signed certificate. For casual use, a self-signed certificate can be used among people who share another channel of trust. It can also aid in rejecting a false claim of misprision.
- A writes an open source program, signed A.
- B adds malware and, unable to sign A, signs B.
- C mistakenly obtains B's version and accuses A of the crime.
- A can verify that tampering has occurred.
- It shows as 'Author unknown' unless the digital certificate is certified by a key chain back to a CA (certification authority) such as Verisign. The problem with the 'self signed' certificate is that while you can create a certificate that claims you are who you are, other people can also make certificates that claim they are who you are.
Since one 'self-signed' certificate is as good as the next to positively identify you (I.E. worthless), the JRE states 'author unknown'. - I am not sure, though I recall using 5000 days in previous certificates. Perhaps the real question is, how long is it worth claiming you are who you are, on a certificate that the JRE will never trust enough to even show the identity? If this is for a commercial product, I strongly recommend getting the verification done (it can be expensive). It would not hurt even for a widely distributed free product.
