It looks like there has been a change by Oracle similar to Java 7u45, where new manifest values needed to be set to run signed Java Webstart applications (see here).
看起来,类似于Java 7u45的Oracle已经发生了变化,需要设置新的manifest值来运行已签名的Java Webstart应用程序(请参阅此处)。
Currently our signed application working with Java 8u131 does not start with Java8u141 with error message Could not verify signing in resource: (arbitrary resource.jar)
目前我们在Java 8u131上的签名应用程序并不以Java8u141开头,错误消息不能验证资源的签名:(任意资源.jar)
Can you still run your signed Webstart application with Java 8u141, i.e. do I have a special problem?
您是否仍然可以使用Java 8u141来运行您的已签名的Webstart应用程序,也就是说,我有一个特殊的问题吗?
In the release notes is a note to security changes, but they don't look related to code signing. Also crypto roadmap looks like this release has not really changed code signing, despite Java 8u131 for example, where MD5 support was removed. But Java 8u131 is working for me and Maven Java Webstart Plugin also uses SHA-256-Digest.
在发布说明中是对安全更改的说明,但是它们看起来与代码签名不相关。另外,crypto路线图看起来并没有真正改变代码的签名,尽管Java 8u131中已经删除了MD5支持。但是Java 8u131为我工作,Maven Java Webstart插件也使用SHA-256-Digest。
5 个解决方案
#1
7
I have found a solution or more exactly a work-around to the problem. The jar in question was in our case the commons-httpclient-3.1.jar. The manifest contains the following entry
我找到了一个解决方案,或者更确切地说是一个解决问题的方法。问题中的jar在我们的例子中是common -httpclient-3.1.jar。该清单包含以下条目。
Name: org/apache/commons/httpclient
I added a / at the end and then I signed and re-deployed the application.
我在最后添加了一个/,然后我签署并重新部署了应用程序。
Name: org/apache/commons/httpclient/
This time the web start application started without any issues. In both cases the jar was signed with java 8u141, the jarsigner could verify the jar, but the webstart did not start in the first case. In my opinion this is a webstart bug.
这一次,web start应用程序开始时没有任何问题。在这两种情况下,jar都与java 8u141签署,jarsigner可以验证jar,但是webstart在第一个案例中没有启动。在我看来,这是一个webstart错误。
#2
1
I had the same problem with Java Webstart Application for java 8u141. It contains commons-httpclient-3.1.jar too. The problem exactly in this jar.
Java 8u141的Java Webstart应用程序也遇到了同样的问题。它包含commons - httpclient 3.1。jar。问题就在这个罐子里。
It looks like the algorithm of verification was changed. Now all manifest entries should have digest. I found out that this original jar has already contained one manifest entry org/apache/commons/httpclient without digest:
看起来验证的算法发生了变化。现在所有的清单条目都应该有摘要。我发现原来的jar已经包含了一个清单条目:org/apache/commons/httpclient,不需要摘要:
Name: org/apache/commons/httpclient
Implementation-Title: org.apache.commons.httpclient
Implementation-Version: 3.1
X-Compile-Target-JDK: 1.2
Specification-Vendor: Apache Software Foundation
Specification-Title: Jakarta Commons HttpClient
Implementation-Vendor-Id: org.apache
Extension-name: org.apache.commons.httpclient
X-Compile-Source-JDK: 1.2
Specification-Version: 3.1
Implementation-Vendor: Apache Software Foundation
I fixed problem by changing ant jar task settings. I added to exclude .MF files for 'zipfileset' (possible .SF, .RSA, .DSA files too). Also it can be required to change attribute 'filesetmanifest' = merge.
我通过改变ant jar任务设置来解决问题。我添加了“zipfileset”(可能的。sf, . rsa, . dsa文件)的。mf文件。还可以要求更改属性“filesetmanifest”= merge。
It prevents appearing that manifest entry in final signed jar.
它防止出现在最终签名的jar中的清单条目。
#3
0
There was a change affecting code signing: SHA-1 certificates were disabled. This is mentioned in the release notes you linked to. In particular they mention:
有一个变化影响代码签名:SHA-1证书被禁用。这在您链接到的发行说明中提到。特别是他们提到:
A new constraint named
usage, that when set, restricts the algorithm if it is used in a certificate chain for the specified use(s). Three usages are initially supported:TLSServerfor TLS/SSL server certificate chains,TLSClientfor TLS/SSL client certificate chains, andSignedJARfor certificate chains used with signed JARs.一个名为usage的新约束,当设置时,如果在证书链中使用指定的使用(s),则会限制该算法。最初支持三种用法:TLS/SSL服务器证书链的TLSServer, TLS/SSL客户端证书链的TLSClient,以及与签名jar一起使用的证书链的SignedJAR。
(emphasis mine). Note also that the release notes discuss the entire certificate chain. So even if your signing cert uses a newer/stronger hash algorithm (SHA2 etc.), it could still be rejected if the issuing authority's certificate used SHA1.
(强调我的)。还要注意,发行说明讨论了整个证书链。因此,即使您的签名证书使用了一个新的/更强的哈希算法(SHA2等),如果颁发机构的证书使用SHA1,它仍然会被拒绝。
More details at:
更多的细节:
https://bugs.openjdk.java.net/browse/JDK-8176536
https://bugs.openjdk.java.net/browse/jdk - 8176536
http://openjdk.java.net/jeps/288
http://openjdk.java.net/jeps/288
#4
0
I had the very same problem. My solution was to remove all directory entries in the jar (as they are useless normally) either by modifying the build scripts (ant:jar filesOnly="true") or with small groovy script to repack the jar without the dir entries.
我遇到了同样的问题。我的解决方案是,通过修改构建脚本(ant:jar filesOnly=“true”)或者使用小的groovy脚本,在没有dir条目的情况下重新打包jar,从而删除jar中的所有目录条目(因为它们通常是无用的)。
This is definitely a JWS bug - I'm wondering how this went unnoticed by Oracle and if they will deliver a fast fix for this...
这绝对是一个JWS的bug -我想知道这是如何被Oracle发现的,如果他们能快速解决这个问题……
#5
0
I had problems for commons-httpclient-3.1.jar, axis-1.4.jar, xml-resolver-1.2.jar, oro-2.0.8.jar. Open the MANIFEST.MF add "/" in the end for name. re-build and sign the project and now it works
我对common -httpclient-3.1有问题。jar,轴- 1.4。jar,xml解析器- 1.2。oro-2.0.8.jar jar。打开清单。在结尾加上“/”。重新构建并签署这个项目,现在它开始工作了。
#1
7
I have found a solution or more exactly a work-around to the problem. The jar in question was in our case the commons-httpclient-3.1.jar. The manifest contains the following entry
我找到了一个解决方案,或者更确切地说是一个解决问题的方法。问题中的jar在我们的例子中是common -httpclient-3.1.jar。该清单包含以下条目。
Name: org/apache/commons/httpclient
I added a / at the end and then I signed and re-deployed the application.
我在最后添加了一个/,然后我签署并重新部署了应用程序。
Name: org/apache/commons/httpclient/
This time the web start application started without any issues. In both cases the jar was signed with java 8u141, the jarsigner could verify the jar, but the webstart did not start in the first case. In my opinion this is a webstart bug.
这一次,web start应用程序开始时没有任何问题。在这两种情况下,jar都与java 8u141签署,jarsigner可以验证jar,但是webstart在第一个案例中没有启动。在我看来,这是一个webstart错误。
#2
1
I had the same problem with Java Webstart Application for java 8u141. It contains commons-httpclient-3.1.jar too. The problem exactly in this jar.
Java 8u141的Java Webstart应用程序也遇到了同样的问题。它包含commons - httpclient 3.1。jar。问题就在这个罐子里。
It looks like the algorithm of verification was changed. Now all manifest entries should have digest. I found out that this original jar has already contained one manifest entry org/apache/commons/httpclient without digest:
看起来验证的算法发生了变化。现在所有的清单条目都应该有摘要。我发现原来的jar已经包含了一个清单条目:org/apache/commons/httpclient,不需要摘要:
Name: org/apache/commons/httpclient
Implementation-Title: org.apache.commons.httpclient
Implementation-Version: 3.1
X-Compile-Target-JDK: 1.2
Specification-Vendor: Apache Software Foundation
Specification-Title: Jakarta Commons HttpClient
Implementation-Vendor-Id: org.apache
Extension-name: org.apache.commons.httpclient
X-Compile-Source-JDK: 1.2
Specification-Version: 3.1
Implementation-Vendor: Apache Software Foundation
I fixed problem by changing ant jar task settings. I added to exclude .MF files for 'zipfileset' (possible .SF, .RSA, .DSA files too). Also it can be required to change attribute 'filesetmanifest' = merge.
我通过改变ant jar任务设置来解决问题。我添加了“zipfileset”(可能的。sf, . rsa, . dsa文件)的。mf文件。还可以要求更改属性“filesetmanifest”= merge。
It prevents appearing that manifest entry in final signed jar.
它防止出现在最终签名的jar中的清单条目。
#3
0
There was a change affecting code signing: SHA-1 certificates were disabled. This is mentioned in the release notes you linked to. In particular they mention:
有一个变化影响代码签名:SHA-1证书被禁用。这在您链接到的发行说明中提到。特别是他们提到:
A new constraint named
usage, that when set, restricts the algorithm if it is used in a certificate chain for the specified use(s). Three usages are initially supported:TLSServerfor TLS/SSL server certificate chains,TLSClientfor TLS/SSL client certificate chains, andSignedJARfor certificate chains used with signed JARs.一个名为usage的新约束,当设置时,如果在证书链中使用指定的使用(s),则会限制该算法。最初支持三种用法:TLS/SSL服务器证书链的TLSServer, TLS/SSL客户端证书链的TLSClient,以及与签名jar一起使用的证书链的SignedJAR。
(emphasis mine). Note also that the release notes discuss the entire certificate chain. So even if your signing cert uses a newer/stronger hash algorithm (SHA2 etc.), it could still be rejected if the issuing authority's certificate used SHA1.
(强调我的)。还要注意,发行说明讨论了整个证书链。因此,即使您的签名证书使用了一个新的/更强的哈希算法(SHA2等),如果颁发机构的证书使用SHA1,它仍然会被拒绝。
More details at:
更多的细节:
https://bugs.openjdk.java.net/browse/JDK-8176536
https://bugs.openjdk.java.net/browse/jdk - 8176536
http://openjdk.java.net/jeps/288
http://openjdk.java.net/jeps/288
#4
0
I had the very same problem. My solution was to remove all directory entries in the jar (as they are useless normally) either by modifying the build scripts (ant:jar filesOnly="true") or with small groovy script to repack the jar without the dir entries.
我遇到了同样的问题。我的解决方案是,通过修改构建脚本(ant:jar filesOnly=“true”)或者使用小的groovy脚本,在没有dir条目的情况下重新打包jar,从而删除jar中的所有目录条目(因为它们通常是无用的)。
This is definitely a JWS bug - I'm wondering how this went unnoticed by Oracle and if they will deliver a fast fix for this...
这绝对是一个JWS的bug -我想知道这是如何被Oracle发现的,如果他们能快速解决这个问题……
#5
0
I had problems for commons-httpclient-3.1.jar, axis-1.4.jar, xml-resolver-1.2.jar, oro-2.0.8.jar. Open the MANIFEST.MF add "/" in the end for name. re-build and sign the project and now it works
我对common -httpclient-3.1有问题。jar,轴- 1.4。jar,xml解析器- 1.2。oro-2.0.8.jar jar。打开清单。在结尾加上“/”。重新构建并签署这个项目,现在它开始工作了。