ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phil Edwards <>
Subject Re: <verifyjar> apparently not passing keystore password along
Date Mon, 19 Mar 2018 19:57:11 GMT
On Sat, Mar 17, 2018 at 4:36 AM, Jaikiran Pai <> wrote:
> "The -storepass, -keypass, -sigfile, -sigalg, -digestalg, -signedjar, and
> TSA-related options are only relevant when signing a JAR file; they are not
> relevant when verifying a signed JAR file. The -keystore option is relevant
> for signing and verifying a JAR file. In addition, aliases are specified
> when signing and verifying a JAR file."

Interesting catch; I missed that part.  Something else seems wrong then,
as including the alias name but leaving out the "-storepass nnnn" argument
when running the jarsigner binary (on the command line) gives the same
problematic behavior of verified-but-with-errors, including "entries that
are not signed by alias in this keystore" and tagging each entry with the
capital-X meaning "not signed by the alias you specified".

Giving a -storepass allows everything to work, including verification of
the named certificate.

Whether that's an upstream bug, a documentation bug, or a gap in our local
understanding, it definitely seems that <verifyjar> is following the upstream
lead with respect to -storepass.

> Would you like to file a bug here

I will try, although my toleration for bugzilla in general has about reached
an all-time low...  I'll see if I can get the 'alias' bug submitted before
the end of the day.

Thanks again!

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message