>Can you verify that the certificate is in there by doing "keytool >- -list .../cacerts"?
keytool -v --list -keystore /usr/lib/jvm/jdk1.8.0_25/jre/lib/security/cacerts |grep "codesigntest" Enter keystore password: Alias name: codesigntest Owner: CN=codesigntest >> I mentioned the same alias in in catalina.policy grant signedBy "codesigntest" >Okay. >So that certificate directly-signed your JAR? >At runtime, do you get an error? What's the full message and stack trace? I have signed the ams_ear.ear using jar signer prior to deploying it using the following command root@pay:/home/sanaullah# jarsigner -verbose -keystore /home/sanaullah/codesigntest.jks -storepass test /home/sanaullah/apache-tomee-webprofile-2.0.0-SNAPSHOT/apps/ams_ear.ear codesigntest updating: META-INF/CODESIGN.SF updating: META-INF/CODESIGN.RSA adding: lib/ signing: lib/javax.json.jar signing: lib/javax.jms-api.jar signing: lib/ams_persistence.jar signing: lib/httpclient-4.3.4.jar signing: lib/httpcore-4.3.2.jar signing: lib/commons-logging-1.1.3.jar signing: lib/commons-codec-1.6.jar signing: lib/nekohtml-1.9.21.jar signing: lib/xercesImpl-2.10.0.jar signing: lib/xml-apis-1.4.01.jar signing: lib/commons-io-2.4.jar signing: lib/jcl-over-slf4j-1.7.5.jar signing: lib/slf4j-api-1.7.5.jar signing: lib/slf4j-log4j12-1.7.5.jar signing: lib/log4j-1.2.17.jar signing: lib/commons-lang3-3.1.jar signing: lib/jackson-core-2.4.0.jar signing: lib/jackson-databind-2.4.0.jar signing: lib/jackson-annotations-2.4.0.jar signing: lib/spring-integration-http-4.0.4.RELEASE.jar signing: lib/spring-webmvc-4.0.7.RELEASE.jar signing: lib/spring-beans-4.0.7.RELEASE.jar signing: lib/spring-core-4.0.7.RELEASE.jar signing: lib/spring-context-4.0.7.RELEASE.jar signing: lib/spring-aop-4.0.7.RELEASE.jar signing: lib/spring-expression-4.0.7.RELEASE.jar signing: lib/spring-web-4.0.7.RELEASE.jar signing: lib/rome-fetcher-1.0.0.jar signing: lib/jdom-1.0.jar signing: lib/rome-1.0.0.jar signing: lib/spring-integration-core-4.0.4.RELEASE.jar signing: lib/spring-tx-4.0.7.RELEASE.jar signing: lib/spring-retry-1.1.1.RELEASE.jar signing: lib/spring-messaging-4.0.7.RELEASE.jar signing: lib/spring-integration-jdbc-4.0.4.RELEASE.jar signing: lib/spring-jdbc-4.0.7.RELEASE.jar signing: lib/guava-16.0.1.jar signing: lib/spring-integration-stream-4.0.4.RELEASE.jar signing: lib/spring-integration-ws-4.0.4.RELEASE.jar signing: lib/spring-ws-core-2.2.0.RELEASE.jar signing: lib/spring-xml-2.2.0.RELEASE.jar signing: lib/spring-oxm-4.0.7.RELEASE.jar signing: lib/spring-aspects-4.0.7.RELEASE.jar signing: lib/aspectjweaver-1.8.2.jar signing: lib/spring-orm-4.0.7.RELEASE.jar signing: lib/aspectjrt-1.8.2.jar signing: lib/spring-integration-ftp-4.0.4.RELEASE.jar signing: lib/commons-net-3.3.jar signing: lib/spring-integration-file-4.0.4.RELEASE.jar signing: lib/spring-context-support-4.0.7.RELEASE.jar signing: lib/spring-integration-sftp-4.0.4.RELEASE.jar signing: lib/jsch-0.1.51.jar signing: ams_war.war signing: ams_ejb.jar signing: log4j.properties jar signed. Warning: No -tsa or -tsacert is provided and this jar is not timestamped. Without a timestamp, users may not be able to validate this jar after the signer certificate's expiration date (2016-11-02) or after any future revocation date. Regards, Sanaullah On Thu, Feb 19, 2015 at 9:09 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Sanaullah, > > On 2/19/15 10:28 AM, Sanaullah wrote: > > I have imported the public key (singed certificate) of the code > > signing certificate using keytool to JVM cacerts > > "/usr/lib/jvm/jdk1.8.0_25/jre/lib/security/cacerts" and certificate > > alias name is "codesigntest" > > Can you verify that the certificate is in there by doing "keytool > - -list .../cacerts"? > > > I mentioned the same alias in in catalina.policy grant signedBy > > "codesigntest" > > Okay. > > So that certificate directly-signed your JAR? > > At runtime, do you get an error? What's the full message and stack trace? > > Thanks, > - -chris > > > On Thu, Feb 19, 2015 at 8:13 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > Sanaullah, > > > > On 2/13/15 12:48 PM, Sanaullah wrote: > >>>> I have signed the ear package using jar signer and start the > >>>> tomee using ./startup.sh -security and also edit the > >>>> catalina.policy file looks like below. > >>>> > >>>> I am confused here, how code sign verification process is > >>>> done? if the code sign certificate is not the truststore > >>>> still the tomcat server will start? or it stops booting the > >>>> application? > >>>> > >>>> I haven't seen anything in the log related to code sign, how > >>>> can i verify this ? > > > > I'm no expert in use of a security manager or signed code, but > > where is your trust store located? How are you telling the JVM > > about where to find it? > > > > -chris > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJU5gqfAAoJEBzwKT+lPKRYFeAP/0g3riqv5xt5P18mHrQp65So > KbliLObxwUwzsT36XDJr4kplWQ8z+oz/Wf5p0RR/JiV3psFwQk+QySd7l//Qqc9G > W3EtPBTDkxt/Yc6qSxw5dOYCNsJMoSoLDz6Ghj1TWJiCmO0ROaImbb+bIcjvCZBx > VJLhaXpFrf9ABFHn9PdMSQ1Mmqi18hFpHUjTwWDpdVEOzJowoLH27P28cFtbcByU > OXtaQHcqBv1t90FIPX/ImMDqyML+Bx6kxkBOf3F+aLLmEXK4bgrK5ni+1c/6z3HU > NFg+4X1wS8LybbNlhsJ2USfjLc6xCZNto97ik5FQtAFGQm/Im2A/hsu6aITQjuxD > +7QDcS++bMYBpatFjlm8MQ5Mjry4yQY/M5sJZaXGC7W16fWIrIu3kVUXPvAUCgwM > owJHsDvYiTQG/fVb44c2SZBtTuI4u4KuQcgSN0Goa3SQz+taPalRw2icEkjLa033 > cLMP1Y+Ht1TxF16LJhd34UJegpRYo9zKSLkl93yZTVI/hgwyqO65wj9taPco/on5 > So3wdwt90jwSNLQH879qrgIIsWtMKk2xEO7y6hako7GLvnZjFHFicuWsR62iG+eF > xWQMiLjlDZ2RlfMS8Is8VZugoDfxspexx6AxLgNhHJXchg6YVqPzYUps/gyhOywj > 2mCLzzBeZryZEYcgSnmv > =ymd+ > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
