tags:

views:

2513

answers:

3
+11  Q: 

How do I sign a Java applet using a certificate in my Mac keychain?

I have a self-signed root certificate with just the code signing extension (no other extensions) in my Mac keychain; I use it to sign all code coming out of ∞labs using Apple's codesign tool and it works great.

I was looking to expand myself a little and doing some Java development. I know Apple provides a KeyStore implementation that reads from the Keychain, and I can list all certificates I have in the 'chain with:

keytool -list -provider com.apple.crypto.provider.Apple -storetype KeychainStore -keystore NONE -v

However, whenever I try to use jarsigner to sign a simple test JAR file, I end up with:

$ jarsigner -keystore NONE -storetype KeychainStore -providerName Apple a.jar infinitelabs_codesigning_2
Enter Passphrase for keystore: <omitted>
jarsigner: Certificate chain not found for: infinitelabs_codesigning_2.  infinitelabs_codesigning_2 must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

What am I doing wrong?

(The certificate was created following Apple's instructions for obtaining a signing identity.)

+1  A: 

I think that your keystore entry alias must be wrong. Are you using the alias name of a keystore object with an entry type of "keyEntry"? The same command works perfectly for me.

From the jarsigner man page:

When using jarsigner to sign a JAR file, you must specify the alias for the keystore entry containing the private key needed to generate the signature.

bd808  2008-09-26 03:13:44
The keystore entry alias is right, if it's the one displayed by the first keytool -list command and not something else I'm not aware of.
millenomi  2008-09-27 09:23:01
A: 

I notice now that keytool -list shows certificates in my keychain as trustedCertEntries, but only some of the private keys as keyEntries (such as my iPhone developer key). The certificate I use is shown as a trustedCertEntry but has no corresponding keyEntry.

Any ideas?

millenomi  2008-09-27 09:47:32
A: 

Have you tried to export the key from the apple keychain and import it via keytool? Perhaps Apple hasn't properly integrated keytool with their keychain (not like they have a stellar track record with supporting Java).

Edit:

Hmm... I just tried taking a key that worked from the java store that I imported into the apple keychain (has a private/public key) and it doesn't work. So ether my importing is wrong, you cannot access the apple Keychain in this way, or something else is going wrong :-)

TofuBeer  2009-02-28 18:59:08

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java