为什么这个证书存储不能与jarsigner一起使用？

Question

我使用以下keystore(pass=123456)使用此命令对zip文件进行签名：

jarsigner -keystore Iran_Nara_nochain_rev.p12 -tsa http://tsa.gica.ir:8080/signserver/process?workerName=TimeStampSigner mfkey3.zip "Iran Nara" 

暂停 包已成功签名，但有一些警告。 但是，当我尝试使用此命令验证签名时：

jarsigner -verify -verbose -certs mfkey3.zip

它说jar文件是未签名的。我对其他钥匙商店没有任何问题，但这个正在播放。关于为什么的任何想法？

Answer 1

我的猜测问题是您的证书的扩展名为OID 1.3.6.1.4.1.311.21.10 ，标记为严重。

因为它被标记为关键应用程序无法识别扩展程序不会处理证书。扩展名在Microsoft（1.3.6.1.4.1.311）树下，因此不是Jarsigner（Java）认可的标准扩展名。

如果没有将此扩展程序标记为关键，您很可能需要获得正确的证书，以便能够在非Microsoft环境中使用它进行代码签名。

您的参考证书（由openssl打印）：

   Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:8f:c3:a0:00:00:00:00:00:1e
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IR, O=Governmental, OU=Iran Center for e-Commerce Development, OU=Deputy of PKI and Commercial Information Security, OU=General Intermediate CA, CN=GICA Code Sign Silver No.2
        Validity
            Not Before: Dec  7 07:33:27 2015 GMT
            Not After : Dec  6 07:33:27 2016 GMT
        Subject: C=IR, O=Non-Governmental, OU=Iran Nara, OU=Non-Individual Level 2 (Silver)/serialNumber=10100800459, CN=Iran Nara
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c5:36:99:38:c6:a8:d1:9b:2d:c9:9a:71:f6:65:
                    58:a3:14:85:e4:6b:00:04:98:51:d6:f4:50:14:2f:
                    2b:4d:84:b4:7a:9a:19:11:02:e4:aa:4b:ee:7c:6e:
                    0e:11:3d:f8:fb:03:ca:87:46:71:14:69:b6:43:9b:
                    4c:0f:9f:4f:c5:b1:d8:72:5c:24:29:8b:7b:d4:46:
                    f2:66:18:62:37:e6:36:f9:18:35:75:a8:77:9e:f2:
                    30:3b:9e:5d:b6:e5:cc:f4:f9:5d:bb:47:5f:f0:69:
                    a9:43:61:e1:4a:ee:bc:2d:8c:bc:53:4a:36:a4:66:
                    a2:0b:20:b3:a5:5c:33:79:fd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                F4:66:A0:E1:CA:74:37:7C:6F:4D:16:EF:8B:25:20:CC:15:6F:0D:23
            X509v3 Authority Key Identifier: 
                keyid:B5:D4:04:47:D9:8A:07:8E:9A:B8:45:19:00:E4:2D:AF:56:6A:2A:4F

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.gica.ir/repository/CS/CS-Silver-No.2.crl

            Authority Information Access: 
                OCSP - URI:http://ocsp.gica.ir/ocsp

            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation
            X509v3 Extended Key Usage: critical
                Code Signing
            X509v3 Certificate Policies: 
                Policy: 2.16.364.101.1.1.3.2.1
                  CPS: http://www.gica.ir/repository/cps-gica.pdf
                Policy: 2.16.364.101.1.1.1.2.2
                  CPS: http://www.gica.ir/repository/cps-gica.pdf
                Policy: 2.16.364.101.1.3.1
                  CPS: http://www.gica.ir/repository/cps-gica.pdf

            1.3.6.1.4.1.311.21.10: critical
                0.0
..+.......
    Signature Algorithm: sha1WithRSAEncryption
         0b:98:e2:25:5d:58:61:d1:17:ad:85:3f:a6:47:79:15:0f:48:
         1f:45:36:70:43:f8:72:f7:4d:19:d8:87:8b:84:f7:5a:df:b9:
         a9:55:ce:1f:95:53:e5:31:f7:94:ad:8c:a3:34:98:31:a6:d7:
         78:38:36:b6:f9:b0:ee:4a:99:3f:f8:f9:58:3f:80:13:8a:c8:
         f2:9d:e2:66:60:e4:bd:cd:12:bb:ec:57:52:f8:81:f2:50:dd:
         9d:cd:13:7d:06:43:57:1d:24:c1:f4:9d:a5:40:de:70:75:35:
         69:07:8c:d0:8e:b6:ce:69:54:2b:6d:5a:4f:49:6f:8f:66:e1:
         46:2a:e4:3d:e5:95:fb:4d:63:bb:68:6c:d1:d8:fb:6b:0c:5e:
         1e:53:e0:af:01:b6:d6:25:c2:1a:c6:3b:f5:db:a9:28:47:c8:
         09:0a:fc:bf:18:d2:61:29:67:82:bb:72:96:a4:c1:ae:6a:7b:
         c6:4c:18:35:c1:b9:1a:00:2e:32:a3:85:1a:79:9b:cc:fc:fa:
         c3:c1:3e:04:4a:c7:5c:71:e6:70:17:35:2c:b4:2a:d2:f4:8f:
         9e:1b:81:e9:d6:e1:c0:30:90:68:fb:e2:ea:9f:13:27:b8:80:
         bc:bf:72:35:ee:24:e4:94:78:75:a5:b2:a0:f1:bc:8a:b4:d3:
         ec:1d:82:51