获取Java类的CodeSigners

huangapple go评论68阅读模式
英文:

Java get CodeSigners from class

问题

我正在运行Java 17并调用class.getProtectionDomain().getCodeSource().getSigners(),但即使相关的JAR文件已正确签名,它始终返回null。有人知道为什么会这样,是否有修复或其他解决方案吗?

在检查Jarsigner时,返回以下内容,jarsigner -verify .\mcpaintball-1.5.1-R.jar

jar已验证。

警告:
此JAR文件包含其证书链无效的条目。原因:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到对所请求目标的有效证书路径
此JAR文件包含其签名者证书为自签名的条目。

重新使用-verbose和-certs选项以获取更多详细信息。

我尝试过同时使用class.getSigners()class.getProtectionDomain().getCodeSource().getCertificates(),但都没有成功。
我原本期望能够获取包含我的签名信息或至少证书的签名者列表。

是否有Java不支持的算法可能导致此问题?

英文:

I'm running java 17 and calling class.getProtectionDomain().getCodeSource().getSigners() always returns null even though the associated jar is correctly signed. Does anyone know why this is and if there is a fix or another solution.

When checking the jarsigner the following gets returned, jarsigner -verify .\mcpaintball-1.5.1-R.jar

jar verified.

Warning:
This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This jar contains entries whose signer certificate is self-signed.

Re-run with the -verbose and -certs options for more details.

I have tried to use both class.getSigners() and class.getProtectionDomain().getCodeSource().getCertificates() to no avail.
I was expecting to get the list of signers containing my signing information or at the very least the certificate.

Are there algorithms that java does not support that could be causing this issue.

答案1

得分: 1

我建议将用于签署JAR文件的自签名证书添加到您的系统信任存储中。

从JAR文件中导出证书

keytool -exportcert -alias <signer> -keystore <keystore.jks> -storepass <password> -file signer.cer

导入到信任存储

keytool -importcert -alias <signer> -keystore <cacerts.jks> -storepass <password> -file signer.cer

请根据括号中的值进行替换。keytool可在jdk中使用,因此在Windows上应该可以工作。
完成后,请验证签名。

可能您的cacerts文件不是JKS格式。
cacerts文件通常位于$JAVA_HOME/jre/lib/security/目录中。

您可以使用以下命令检查cacerts文件的格式:

keytool -list -v -keystore /path/to/cacerts

如果cacerts文件不是JKS格式,您可以使用以下命令将其转换为JKS格式:

keytool -importkeystore -srckeystore /path/to/cacerts -destkeystore /path/to/cacerts.jks -deststoretype jks

希望这有所帮助。

英文:

I would suggest adding the self-signed cert which was used to sign the jar to your systems truststore.

Export certificate from the JAR file

keytool -exportcert -alias &lt;signer&gt; -keystore &lt;keystore.jks&gt; -storepass &lt;password&gt; -file signer.cer

Import to truststore

keytool -importcert -alias &lt;signer&gt; -keystore &lt;cacerts.jks&gt; -storepass &lt;password&gt; -file signer.cer

Replace values in brackets accordingly. keytool is available in jdk, so should work in windows.
After this verify signature.

It’s possible that your cacerts file is not in the JKS format.
The cacerts file is usually located in the
$JAVA_HOME/jre/lib/security/ directory.

You can check the format of your cacerts file using the following command:

keytool -list -v -keystore /path/to/cacerts

If cacerts file is not in the JKS format, you can convert it to JKS using the following command:

keytool -importkeystore -srckeystore /path/to/cacerts -destkeystore /path/to/cacerts.jks -deststoretype jks

Hope this helps.

huangapple
  • 本文由 发表于 2023年7月17日 16:05:09
  • 转载请务必保留本文链接:https://go.coder-hub.com/76702538.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定