-
Bug
-
Resolution: Duplicate
-
P3
-
None
-
8u121
-
x86
-
os_x
FULL PRODUCT VERSION :
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
OSX v10.9.5
EXTRA RELEVANT SYSTEM CONFIGURATION :
Apache Ant(TM) version 1.10.0 compiled on December 27 2016
A DESCRIPTION OF THE PROBLEM :
I am trying to code sign a Java jar file, using Apache Ant's latest version v10.1.0 "SignJar" task, and a GlobalSign Java Code Signing Certificate "OS201605235537.pfx", valid until May 23, 2017.
(Note1: I have also reported this problem to GlobalSign Customer Support.)
(Note2: below I have removed the last 5 characters from my actual password.)
I never had a problem signing with my certificate "OS201605235537.pfx" until I upgraded today from Java 8u111 to Java 8u121, which was just released from Oracle today. I assume this has something to do with the increased security standards that began on February 1, 2017, but I have no idea really. I did add the new GlobalSign timestamping authority, which became active on Feb 1 2017 (see below), but that had no effect on the problem.
The build file line is as follows:
--------------------------------------
<signjar verbose="true" alias="1" storetype="PKCS12" storepass="XZ13AB7....." keystore="${codesigning-chngdmaster-changable-base.dir}/OS201605235537.pfx" tsacert="http://rfc3161timestamp.globalsign.com/standard" sigalg="SHA256withRSA" lazy="false">
--------------------------------------
This causes the following error:
[signjar] jarsigner: you must enter key password
[signjar] Enter Passphrase for keystore: Enter key password for 1:
If I add (keypass="XZ13AB7.....") to the above command, then the error message changes to:
[signjar] jarsigner: unable to recover key from keystore
[signjar] Enter Passphrase for keystore: Enter key password for 1:
Note that I just used the same password as the keystore password. I have no idea what the key password is, if it exists or is different. Maybe it has to be added somehow.
I have verified that nothing is different in my application build except the new Java version.
---------------------------------------
(Footnote: My certificate has an alias = "1", as shown by following keytool command results...)
Gregs-MacBook-Pro:CSR_Results_2016 gregcolello$ keytool -v -list -storetype PKCS12 -keystore OS201605235537.pfx
Enter keystore password: XZ13AB7.....
-------------------------------------------
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: 1
REGRESSION. Last worked in version 8u111
ADDITIONAL REGRESSION INFORMATION:
(see above for 8u121. Do you want version from 8u111? That's been overtaken at command line by 8u121.)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
It would be hard to reproduce this problem without using my application, my certificate, and my actual certificate password.
I could produce a simple test case, if required; but I am hoping you will already know about this problem.
It has to be due to a change in 8u121 from 8u111, because nothing else changed from my working code under 8u111. I compiled and built under 8u111. I then installed 8u121. I recompiled and rebuilt in the same terminal window. Then the problem appeared. As a proof experiment,I then moved 8u121 into the Trash. I rebuilt. Ant reported it used 8u111. It worked. I then "put back" 8u121 from Trash. I rebuilt. Ant reported it used 8u121. It failed again.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No error message from jarsigner.
ACTUAL -
[signjar] jarsigner: you must enter key password
[signjar] Enter Passphrase for keystore: Enter key password for 1:
ERROR MESSAGES/STACK TRACES THAT OCCUR :
[signjar] jarsigner: you must enter key password
[signjar] Enter Passphrase for keystore: Enter key password for 1:
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Reverting back to 8u111, as described in Reproduce section above.
SUPPORT :
YES
java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
ADDITIONAL OS VERSION INFORMATION :
OSX v10.9.5
EXTRA RELEVANT SYSTEM CONFIGURATION :
Apache Ant(TM) version 1.10.0 compiled on December 27 2016
A DESCRIPTION OF THE PROBLEM :
I am trying to code sign a Java jar file, using Apache Ant's latest version v10.1.0 "SignJar" task, and a GlobalSign Java Code Signing Certificate "OS201605235537.pfx", valid until May 23, 2017.
(Note1: I have also reported this problem to GlobalSign Customer Support.)
(Note2: below I have removed the last 5 characters from my actual password.)
I never had a problem signing with my certificate "OS201605235537.pfx" until I upgraded today from Java 8u111 to Java 8u121, which was just released from Oracle today. I assume this has something to do with the increased security standards that began on February 1, 2017, but I have no idea really. I did add the new GlobalSign timestamping authority, which became active on Feb 1 2017 (see below), but that had no effect on the problem.
The build file line is as follows:
--------------------------------------
<signjar verbose="true" alias="1" storetype="PKCS12" storepass="XZ13AB7....." keystore="${codesigning-chngdmaster-changable-base.dir}/OS201605235537.pfx" tsacert="http://rfc3161timestamp.globalsign.com/standard" sigalg="SHA256withRSA" lazy="false">
--------------------------------------
This causes the following error:
[signjar] jarsigner: you must enter key password
[signjar] Enter Passphrase for keystore: Enter key password for 1:
If I add (keypass="XZ13AB7.....") to the above command, then the error message changes to:
[signjar] jarsigner: unable to recover key from keystore
[signjar] Enter Passphrase for keystore: Enter key password for 1:
Note that I just used the same password as the keystore password. I have no idea what the key password is, if it exists or is different. Maybe it has to be added somehow.
I have verified that nothing is different in my application build except the new Java version.
---------------------------------------
(Footnote: My certificate has an alias = "1", as shown by following keytool command results...)
Gregs-MacBook-Pro:CSR_Results_2016 gregcolello$ keytool -v -list -storetype PKCS12 -keystore OS201605235537.pfx
Enter keystore password: XZ13AB7.....
-------------------------------------------
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: 1
REGRESSION. Last worked in version 8u111
ADDITIONAL REGRESSION INFORMATION:
(see above for 8u121. Do you want version from 8u111? That's been overtaken at command line by 8u121.)
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
It would be hard to reproduce this problem without using my application, my certificate, and my actual certificate password.
I could produce a simple test case, if required; but I am hoping you will already know about this problem.
It has to be due to a change in 8u121 from 8u111, because nothing else changed from my working code under 8u111. I compiled and built under 8u111. I then installed 8u121. I recompiled and rebuilt in the same terminal window. Then the problem appeared. As a proof experiment,I then moved 8u121 into the Trash. I rebuilt. Ant reported it used 8u111. It worked. I then "put back" 8u121 from Trash. I rebuilt. Ant reported it used 8u121. It failed again.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
No error message from jarsigner.
ACTUAL -
[signjar] jarsigner: you must enter key password
[signjar] Enter Passphrase for keystore: Enter key password for 1:
ERROR MESSAGES/STACK TRACES THAT OCCUR :
[signjar] jarsigner: you must enter key password
[signjar] Enter Passphrase for keystore: Enter key password for 1:
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
Reverting back to 8u111, as described in Reproduce section above.
SUPPORT :
YES
- duplicates
-
-
- Closed
-