On Sat, Mar 17, 2018 at 4:36 AM, Jaikiran Pai <jai.forums2...@gmail.com> wrote: > "The -storepass, -keypass, -sigfile, -sigalg, -digestalg, -signedjar, and > TSA-related options are only relevant when signing a JAR file; they are not > relevant when verifying a signed JAR file. The -keystore option is relevant > for signing and verifying a JAR file. In addition, aliases are specified > when signing and verifying a JAR file."
Interesting catch; I missed that part. Something else seems wrong then, as including the alias name but leaving out the "-storepass nnnn" argument when running the jarsigner binary (on the command line) gives the same problematic behavior of verified-but-with-errors, including "entries that are not signed by alias in this keystore" and tagging each entry with the capital-X meaning "not signed by the alias you specified". Giving a -storepass allows everything to work, including verification of the named certificate. Whether that's an upstream bug, a documentation bug, or a gap in our local understanding, it definitely seems that <verifyjar> is following the upstream lead with respect to -storepass. > Would you like to file a bug here > https://bz.apache.org/bugzilla/describecomponents.cgi?product=Ant I will try, although my toleration for bugzilla in general has about reached an all-time low... I'll see if I can get the 'alias' bug submitted before the end of the day. Thanks again! --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@ant.apache.org For additional commands, e-mail: user-h...@ant.apache.org
