DJViking DJViking - 10 months ago 344
Java Question

JDK 1.7 jarsigner with https tsa no longer works

It seems like Thawte root certificates in JDK 1.7.0_80 is revoked.

Using the 7u80 jarsigner no longer works and it worked fine just a few days ago.

/usr/java/jdk1.7.0_80/jre/../bin/jarsigner -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp
jarsigner: unable to sign jar: Remote host closed connection during handshake

I tried to import Thawtes Timestamping CA certificate into cacerts after deleting the old one.


/usr/java/jdk1.7.0_80/bin/keytool -import -trustcacerts -alias verisigntsaca -file Thawte_Timestamping_CA.pem -keystore jre/lib/security/cacerts
Enter keystore password:
Trust this certificate? [no]: yes
Certificate was added to keystore

Using jarsigner from JDK 8u60 works, so I tried to copy its cacerts to JDK7, but that did not work either.

We cannot compile yet with Java 8, because of Javadoc errors. The only solutions I see is to create symlink in JDK7 to JDK8 jarsigner.

/usr/java/jdk1.8.0_60/jre/../bin/jarsigner -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp
jar signed.

If I switch tsa from geotrust to digicert it works fine with JDK 7, because they do not use https.

Answer Source

I also only experienced this issue in the last 12 hours. This issue is not to do with certificates but rather to do with the protocol used to communicate with the timestamp server. This will work with JDK7, however you need to add the following to the jarsigner command


Therefore, your command will look like:

/usr/java/jdk1.7.0_80/jre/../bin/jarsigner -J-Dhttps.protocols=TLSv1.2 -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp

It seems that GeoTrust have disabled use of TLS version 1.0 which is the default in Java 7. The following links provide more information on this:

GeoTrust Partner: Disable of Transport Layer Security (TLS) version 1.0 protocol

Diagnosing TLS, SSL, and HTTPS

Hope this helps.