看起来JDK 1.7.0_80中的Thawte根证书被撤销了.
https://www.thawte.com/roots/retired.html
https://www.thawte.com/roots/retired.html
使用7u80 jarsigner不再有效,而且几天前工作正常.
/usr/java/jdk1.7.0_80/jre/../bin/jarsigner -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp jarsigner: unable to sign jar: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
在删除旧证书后,我尝试将Thawtes Timestamping CA证书导入cacerts.
wget https://www.thawte.com/roots/Thawte_Timestamping_CA.pem /usr/java/jdk1.7.0_80/bin/keytool -import -trustcacerts -alias verisigntsaca -file Thawte_Timestamping_CA.pem -keystore jre/lib/security/cacerts Enter keystore password: Trust this certificate? [no]: yes Certificate was added to keystore
使用JDK 8u60的jarsigner工作,所以我试图将它的cacerts复制到JDK7,但这也不起作用.
由于Javadoc错误,我们无法使用Java 8进行编译.我看到的唯一解决方案是在JDK7中创建符号链接到JDK8 jarsigner.
/usr/java/jdk1.8.0_60/jre/../bin/jarsigner -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp jar signed.
如果我将tsa从geotrust切换到digicert,它可以正常使用JDK 7,因为它们不使用https.
http://timestamp.digicert.com/
解决方法
我在过去12小时内也只遇到过这个问题.此问题与证书无关,而是与用于与时间戳服务器通信的协议有关.这将适用于JDK7,但是您需要将以下内容添加到jarsigner命令中
-J-Dhttps.protocols=TLSv1.2
因此,您的命令将如下所示:
/usr/java/jdk1.7.0_80/jre/../bin/jarsigner -J-Dhttps.protocols=TLSv1.2 -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp
似乎GeoTrust已禁用TLS 1.0版,这是Java 7中的默认值.以下链接提供了有关此内容的更多信息:
GeoTrust Partner: Disable of Transport Layer Security (TLS) version 1.0 protocol
希望这可以帮助.
