问题描述
我试图使用本指南使用我们公司的 .pfx 证书签署 jar 小程序存档
(以及来自互联网的其他少数人):
http://www.globalsign.com/support/ordering-guides/SignJavaCodeAppletsPFX.pdf
I was trying to sign a jar applet archive with our company .pfx certificate using this guide
(and few others from the internet):
http://www.globalsign.com/support/ordering-guides/SignJavaCodeAppletsPFX.pdf
一切似乎都很好,但是当我尝试通过浏览器运行苹果时,我看到了
发布者"是 UNKNOWN(不受信任).当我查看详细信息时,我可以看到合适的公司
名称和证书供应商 (GlobalSign).为什么它没有正确显示为已知/可信?
Everything seems to be fine, but when I try t run apple through the browser I see that
'Publisher' is UNKNOWN (untrusted). And when I go to details I'm able to see proper company
name and certificate vendor (GlobalSign). Why it's not properly displayed as known/trusted?
在我看来可疑的一件事是命令的输出
jarsigner -verify -verbose -certs Applet.jar:
The one thing which looks suspicious to me is output of command
jarsigner -verify -verbose -certs Applet.jar:
(...)
sm 1936 Wed Apr 13 03:00:50 CEST 2011 org/my/Applet.class
X.509, CN=CompanyName, O=CompanyName, L=Tilst, ST=ProperState, C=DK
[certificate is valid from 18.02.10 14:58 to 18.02.13 14:58]
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope
因此看起来缺少k = 在密钥库中至少找到一个证书"
(应该是smk,它是sm).是否仅部分签署?或者什么?
So looks like 'k = at least one certificate was found in keystore' is missing
(should be smk and it is sm). Is it signed only partially? Or what?
GlobalSign 给我的 .pfx 文件是否有可能是错误的
就不足以签署小程序?对于普通的可执行文件,它工作得很好......
Is it possible that .pfx file given to me by GlobalSign is somehow wrong
on not enough to sign applets? For normal executables it was working just fine...
有什么想法吗?;)
编辑
@Jcs
看起来你是完全正确的.我用 keytool 检查了我的 PFX 文件,我得到:
Looks like you are totally right. I checked my PFX file with keytool and I get:
Your keystore contains 1 entry
Alias name: company_alias
Creation date: Apr 13, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
所以看起来链条不完整.
我不确定这是否重要,但也有一些扩展,例如:
So looks like chain is not complete.
I'm not sure if it matters, but there are also few extensions like for example:
#1: ObjectId: (some_numbers_here) Criticality=true
KeyUsage [
DigitalSignature
]
#2: ObjectId: (some_numbers_here) Criticality=false
AuthorityInfoAccess [
[
accessMethod: (some_numbers_here)
accessLocation: URIName: http://secure.globalsign.net/cacert/ObjectSign.crt]
]
(...)
问题是:我的 PFX 文件是否完全错误,或者我需要向其中添加 globalsign 根?
Question is: is my PFX file totally wrong, or somehow I need to add globalsign root to it?
推荐答案
非常感谢大家,尤其是 Jcs :)
我终于发现 .pfx 文件导入不正确.
我让我的老板从头开始为我导入它,包括所有可能的路径/链/证书,现在它可以工作了:)
因此,如果有人遇到类似问题,我的建议是再次尝试获取/导入证书
- 证书本身的问题而不是签名方法的问题.
Thanks a lot for all, especially Jcs :)
I finally discovered that .pfx file was just imported improperly.
I asked my boss to import it for me from scratch with all possible paths/chains/certificates included and now it works :)
So if anyone will have similar problem my advice is to try to get/import certificate again
- it's rather problem with certificate itself than with signing method.
这篇关于如何使用 .pfx 文件签署 java 小程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!