Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8330217

Spurious warning from jarsigner -verify when keystore with intermediate CA is used

XMLWordPrintable

      If a jar is signed with a private key entry containing more then one certificate in the chain (ie signer cert + intermediate CA) then jarsigner -verify outputs:

      Warning:
      This jar contains signed entries that are not signed by alias in this keystore.

      incorrectly. This happens because the inKeyStoreForOneSigner method in sun.security.tools.jarsigner.Main is using store.getCertificateAlias(c) for each certificate in the CodeSigner's signer path. However getCertificateAlias only checks the first certificate in the chain for a private key entry.

      Additionally, the global allAliasesFound flag is set with:

        allAliasesFound =
                              (inStoreWithAlias & SOME_ALIASES_NOT_FOUND) == 0;

      It seems that should be:

      allAliasesFound &=
                              (inStoreWithAlias & SOME_ALIASES_NOT_FOUND) == 0;

      Issue observed in Oracle JDK 21 and 22.

            weijun Weijun Wang
            revans Richard Evans
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: