jar resources in jnlp are not signed by the same certificate

荒凉一梦 提交于 2019-12-30 01:51:18

问题


I've been working with web start for a couple years now and have experience with signing the jars and what not. I am taking my first attempt at deploying a RCP app with web start and though I have in fact signed all of the jars with the same certificate I keep getting this error: 'jar resources in jnlp are not signed by the same certificate'

Has anyone else came across this? If so, any ideas on how to fix?


回答1:


When I had similar problems after checking the jars it turned out that some 3rd party jar was signed by someone else.

You should create a separate jnlp file for the jars signed by the other certificate and read this jnlp from your jnlp file:

<resources>
  ...
  <extension name="other" href="other.jnlp"/>
</resources>

Here or here you can find an example.




回答2:


This may be a stale manifest entry from an already signed jar that you use as a library. I encountered this problem with jogl via webstart. Try this:

Unzip all jars, purge all META-INF directories, jar and sign them again.




回答3:


I've found that JNLP/Webstart does not like multiple signatures/signing via jarsigner.exe for a given JAR. If a JAR such as BouncyCastle (which comes presigned) is signed again with your Company's certificate, visual inspection leads me to believe that the new Certificate and Signatures are performed properly in the JAR. but that JNLP may be reading only the first (Alphabetical?) signature in the META-INF, and thereby complaining it doesn't match your other JARs (which have only one, Corporate, signature on each JAR).




回答4:


I had the exact same experience as described by Matthew with the presigned BouncyCastle JARs. However, I found that JRE version 1.6.0_14 and later will gladly accept JARs with multiple signatures (as I would expect). Hence, I did not need to use the JNLP 'component extension mechanism' described above.

PS Did not find any obvious references to this fix in the 1.6.0_14 release notes. However, I have verified that multiple signed JARs works in all later versions (at least 14 - 17 + 24).




回答5:


See the explanation for one of the FAQ: How do I use multiple JAR files signed by different certificates?

Right solution.




回答6:


The following script lists serial number of the RSA certificate in each jar in /some/lib directory and helps to find jars that are signed by the wrong certificate:

for f in $( find /some/lib -type f -name '*.jar' )
do 
   serial=$( unzip -p $f 'META-INF/*.RSA' | 
             openssl pkcs7 -inform der -print -noout |
             grep --max-count=1 serialNumber | cut -d: -f2- | tr -d ' ' )
   printf "%40s: %s\n" "$serial" "$f"
done



回答7:


In my project, what happened is that there are couple of instances in the load balancer pool, there are some instances with old version of code and some with new version. Thus there are certificates not signed by same certificate...



来源:https://stackoverflow.com/questions/430755/jar-resources-in-jnlp-are-not-signed-by-the-same-certificate

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!