I have imported a certificate into a private ~/.keystore file:
keytool -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
mylyn-mantis, Jul 15, 2010, trustedCertEntry
and am trying to sign a jar with it, but I get a 'certificate chain not found' error.
jarsigner -verbose /home/robert/file.jar mylyn-mantis
jarsigner: Certificate chain not found for: mylyn-mantis. mylyn-mantis must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
How can I solve this problem?
It seems that your keystore contains only a certificate (public key) you need a complete key entry, with a private key, and the whole certificate chain to be able to sign anything
Short Answer
Use your alias key instead of key store like this:
jarsigner -verbose -keystore [Your signature storage path] -signedjar [signed filename] [unsigned filename] [Your alias key]
More Details
Here are the easiest way to solve this error:
Go to bin folder .. it may be in this path:
C:\Users[Your computer name]\jdk\bin
or this path:
C:\Program Files\Java\jre1.8.0_77\bin
To prevent issues caused by the configuration of environment variables, please copy both the empty package to be signed, and your key store [the private key for signature] to the bin directory under JDK.
Get your alias key by run this command:
keytool -keystore [your key store] -list -v
Finally run this command:
jarsigner -verbose -keystore [Your signature storage path] -signedjar [signed filename] [unsigned filename] [Your alias key]
I faced same issue. I am having .p12 file issued by CA and I was trying to sign jar file. However I was getting error:
jarsigner: Certificate chain not found for:
Basically I was copying alias name from console. It was having wrong character 'question mark' (?) causing this error. Instead I redirected output of keytool to text file and then I copied alias name from there.
Issue this command:
keytool -list -v -storetype pkcs12 -keystore "mycertificate.p12" > cert.txt
(This is very important. Always redirect to txt file. Do not copy from console output. It can contain wrong characters)
Find out alias name in certificate. Open cert.txt and copy string as it is mentioned in front of "Alias name:"
Let's say this string is "my alias name, a.p.’s my ca limited id"
Use jarsigner:
jarsigner -storetype pkcs12 -keystore "mycertificate.p12" myjarfile.jar "my alias name, a.p.’s my ca limited id"
I had this error, but it was a different issue. When you send off a CSR to a CA it comes from a particular private key with a particular alias that you generated. When you receive the cert back again you must import it using the same alias name or else the two certs will not be wired together.
If you have done it right, when you use keytool -list -v you wil see a single entry with the alias name, of type
Entry type: PrivateKeyEntry
Certificate chain length: 3
For the entry.
If you have done it wrong the you will have two entries
Entry type: PrivateKeyEntry
Certificate chain length: 1
and
Entry type: trustedCertEntry
I encountered this error because I was using a Jenkins "certificate" credential. The Jenkins credential configuration dialog has a text box called Description, whose help says it is a free comment describing the credential. In fact, the Jenkins pipeline block withCredentials uses the Description text box to populate the environment variable named in the aliasVariable property.
withCredentials([certificate(
credentialsId: my_credentials,
keystoreVariable: 'MY_KEYSTORE',
aliasVariable: 'MY_ALIAS', // Set value in Description textbox
passwordVariable: 'MY_PASSWORD')]) {
bat 'mvn clean deploy -Dmy.keystore=%MY_KEYSTORE% -Dmy.alias=%MY_ALIAS% -Dmy.password=\"%MY_PASSWORD%\"'
}
This is not mentioned in the Jenkins documentation.
mylyn-mantis should be the actual alias name you used when you generate the signing key.
Related
I've created a global JKS that has "changeme" as the keystore password. I created the JKS using the Keystore Explorer.
The idea behind using the global JKS is that apps can pull down the JKS from S3 and then reset the JKS with their own string password. We do alot of SpringBoot APIs and we use the JKSs to secure Tomcat in the container so we can get HTTPS connected.
But here's the problem I'm running into, when I change the JKS keystore password I start getting java.security.UnrecoverableKeyException: Cannot recover key errors being thrown.
In the Keystore Explorer I didn't specify a password for the alias. When I go into the Keystore Explorer to change the alias password, it accepts "changeme" as the password. So, I assume the Keystore Explorer is automatically using changeme as the password since I supplied it for the JKS keystore password.
Admittedly, I'm no expert with using JKS and understanding the intricacies of security but this one has me stumped.
I've also tried changing both the keystore password with the Keytool using the following command:
keytool -storepasswd -keystore myJKS.jks
and
keytool -keypasswd -alias myalias -keystore myJKS.jks
But when I try to change the alias I get:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
What am I doing wrong?
Thanks
The error you are seeing is because you might have provided wrong keystore-password in the command.
A basic understanding of how and what JKS is. A JKS (Java KeyStore) is basically a file that protects secret keys (symmetric keys), key pairs (asymmetric keys) and certificates. The way it protects them is by a password, this password is called a keystore-password. And the keys within the JKS file can also be protected individually, which means they can have their own password, which is called a key-password.
The way to change the keystore-password:
keytool -storepasswd -keystore [KEYSTORE] -storepass [OLD_KEYSTORE_PASSWORD] -new [NEW_KEYSTORE_PASSWORD]
The way to change the key-password:
keytool -keypasswd -keystore [KEYSTORE] -storepass [KEYSTORE_PASSWORD] -alias [ALIAS] -keypass [OLD_KEY_PASSWORD] -new [NEW_KEY_PASSWORD]
These are the properties related to securing the spring-boot application. You have to define the keystore-password and key-password in those properties.
server.ssl.ciphers= # Supported SSL ciphers.
server.ssl.client-auth= # Client authentication mode.
server.ssl.enabled=true # Whether to enable SSL support.
server.ssl.enabled-protocols= # Enabled SSL protocols.
server.ssl.key-alias= # Alias that identifies the key in the key store.
server.ssl.key-password= # Password used to access the key in the key store.
server.ssl.key-store= # Path to the key store that holds the SSL certificate (typically a jks file).
server.ssl.key-store-password= # Password used to access the key store.
server.ssl.key-store-provider= # Provider for the key store.
server.ssl.key-store-type= # Type of the key store.
server.ssl.protocol=TLS # SSL protocol to use.
server.ssl.trust-store= # Trust store that holds SSL certificates.
server.ssl.trust-store-password= # Password used to access the trust store.
server.ssl.trust-store-provider= # Provider for the trust store.
server.ssl.trust-store-type= # Type of the trust store.
You can find all the spring-boot properties in the documentation here.
If you look at the properties, there is server.ssl.key-store-password and server.ssl.key-password. You can ask the users to set those two values after they change the global JKS password.
I am getting this error everytime I tried to generate my signed apk through Android Studio:
No key with alias 'Operator_keystore' found in keystore PATH/OrderOperator_keystore
Previously I successfully submitted builts with the same keystore. The problem arises when I move my whole project folder to another folder, also I invalidated the cache of android studio.
I am signing apk like this
Any help would be appreciated.
Open a terminal and run the following command:
keytool -list -v -keystore </path/to/your/keystore.jks>
After you enter the keystore password, it will display the list of certificates stored in that keystore, including the alias names, e.g.
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: androiddebugkey
Creation date: Nov 19, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
...
Look at the alias name displayed, and compare that with the value you put in the Key alias field in that Studio window.
Make sure you key store path is correct with the location of the new folder and also make sure you're entering the correct password for both key store and alias. If that doesn't work try changing
keystore PATH/OrderOperator_keystore
To
keystore PATH/
There shouldn't be any space between keystone Path also
you can use Gradle into signingReport and generate a hash key or sha1 key and also refresh the app level build.gradle file after submitting the form for keystore
I'm trying to use KeyStore in order to get info from a keystore.
I've generated the keystore using this command:
keytool -genkey -alias server -keyalg RSA -keystore server.keystore -validity 365 taken this page.
Checking its info keytool -list -v -keystore server.keystore I get the following:
Alias name: server
Creation date: Apr 30, 2014
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
(other info here)
Using this command: keytool -list -keystore server.keystore -alias server I get this:
server, Apr 30, 2014, PrivateKeyEntry,
Certificate fingerprint (SHA1): 28:65:5B:0C:B3:3C:C9:AA:F1:7C:CE:91:23:77:DD:0D:F8:54:70:B9
Now, my java code:
keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(getClass().getResourceAsStream(KEYSTORE_FILE_PATH), "myPass".toCharArray());
keyStore.getCertificate("server").getPublicKey().getEncoded(); //here I get a null pointer exception - keystore.getCertificate("server") returns null.
Doing keyStore.aliases() returns an EmptyEnumeration.
The application uses maven, java ee 7 and I've copied the keystore file in the resources folder of my application. KEYSTORE_FILE_PATH has the value of "/server.keystore".
Thanks.
Class.getResourceAsStream() returns null when there is no resource with the specified name.
KeyStore.load() resets the key store to the empty state when passed a null input stream.
It means that at runtime your code does not find the keystore resource and silently proceeds with the empty keystore.
add a guarding condition that checks that getResourceAsStream() returned non-null value before passing it value into KeyStore.load().
review your code and building/packaging process in maven to ensure that keystore file is present at the proper location.
There are some questions about getResourceAsStream() that can be of help for you.
I had following qustions about timestamping a jar: (exe timestamping is working fine)
Do we have to "purchase" anything for timestamping , similar to code signing certificate?
Is it mandatory to timestamp the exe/jar from the same TSA , with which it is signed? We have purchased a code signing certificate from GoDaddy.
The "http://support.godaddy.com/help/article/4833/about-code-signing-certificates" link of GoDaddy says:
Is there a limit to the amount of time stamp requests allowed for a
Code Signing certificate? No. Unlike some of our competitors, we do
not limit the number of time stamp requests which can be issued by a
single Code Signing certificate.
From above statement, I understand tha the timestamp can be done, if you have code signing certificate purchased.
using command:
jarsigner -keystore mykeys -sigfile SIG -signedjar SignedApp.jar -tsacert testalias app.jar johndoe
where testalias is the TSA's public key certificate.
Where can I get GoDaddy's TSA public key certificate ?
If I use below command to timestamp
jarsigner -verbose -keystore C:\a.pfx -storepass <password> -storetype pkcs12 C:\abc.jar -tsa http://tsa.starfieldtech.com <pfx certificate alias>
I get the following error:
jarsigner: Certificate chain not found for: -tsa. -tsa must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.
Apart from How to validate if a signed jar contains a timestamp?, is there any easier way to check the
timestamp of a jar
No, you don't have to purchase anything else. Your certificate is enough.
It is desirable to timestamp your jars, because otherwise they will expire when your certificate expire.
It looks like you permuted the options for jarsigner. Try this order:
jarsigner -verbose -keystore C:\a.pfx -storepass <password> -storetype pkcs12 -tsa http://tsa.starfieldtech.com C:\abc.jar "<pfx certificate alias>"
I have a basic question about signing a jar file with a provided certificate. I have a certificate(.pem file) that I wish to use to sign a jar. I do not have its private key.
The command that I used till now is: jarsigner -keystore /working/mystore -storepass <keystore password> -keypass <private key password> -signedjar sbundle.jar bundle.jar test. Is there a way to sign the jar without the private key?
No, by definition you need the private key to sign, that's the whole idea. You cannot sign with just the public certificate containing the public key, you can only verify with it.