We are using Jarsigner (JAVA 1.8.0_201) in our to sign some built jar files. We were executing the below script to perform the jarsigning on a SLES 12 SP-5 build server and it was working fine.
openssl_latest=/app/vbuild/sys/openssl/latest/bin/openssl
encry_string=$(cat {store_path}/Jar_Signing/storepass_string)
key_s=$(cat {store_path}/Jar_Signing/storepass_key | xargs)
decoded_string=$(echo "$encry_string" | base64 -d 2> /dev/null)
key_hex=$(echo -n "$key_s" | xxd -p)
decrypted_string=$(echo -n "$decoded_string" | $openssl_latest enc -aes-192-ecb -d -K "$key_hex" -nopad 2>&1)
if [[ "$decrypted_string" == *"bad decrypt"* ]]; then
echo "Decryption failed: $decrypted_string"
else
store_pass=$(echo "$decrypted_string" | sed 's/}*$//')
fi
encry_tstring=$(cat {store_path}/Jar_Signing/trustStore_string)
key_t=$(cat {store_path}/Jar_Signing/trustStore_key | xargs)
decoded_tstring=$(echo "$encry_tstring" | base64 -d 2> /dev/null)
key_thex=$(echo -n "$key_t" | xxd -p)
decrypted_tstring=$(echo -n "$decoded_tstring" | $openssl_latest enc -aes-192-ecb -d -K "$key_thex" -nopad 2>&1)
if [[ "$decrypted_tstring" == *"bad decrypt"* ]]; then
echo "Decryption truststore_pass failed: $decrypted_tstring"
else
truststore_pass=$(echo "$decrypted_tstring" | sed 's/}*$//')
fi
expCheckCmd=$( {usr_path}/java/1.8.0_201/Linux/bin/keytool -list -v \
-storepass "$storepass" \
-keystore "{store_path}/Jar_Signing/codesigning" \
-storetype sdkms-local \
-providerName sdkms-jce \
-J-Djavax.ssl.trustStoreType=jks \
-J-Djavax.ssl.trustStore="{store_path}/Jar_Signing/sdkms-truststore.jks" \
-J-Djavax.ssl.trustStorePassword="$truststore_pass" \
-J-classpath "-J{usr_path}/java/1.8.0_201/Linux/lib/*:{usr_path}/java/1.8.0_201/Linux/jre/lib/*:{usr_path}/1.8.0_201/Linux/jre/lib/sdkms-jce-provider-bundled-4.24.2343.jar" \
2> /dev/null | grep -i -m1 "until" | sed 's/^.*: //' )
echo "INFO: $jar_name Jar Signer Expires on: $expCheckCmd"
jarsign_cmd=$( {usr_path}/java/1.8.0_201/linux/bin/jarsigner \
-verbose \
-keystore '{store_path}/Jar_Signing/codesigning' \
-providerName sdkms-jce \
-sigalg SHA256withRSA \
-storetype SDKMS-local \
-storepass "$store_pass" \
-signedjar "$jar_path" "$jar_path" codesigning \
-J-Djavax.ssl.trustStoreType=jks \
-J-Djavax.ssl.trustStore='{store_path}/Jar_Signing/sdkms-truststore.jks' \
-J-Djavax.ssl.trustStorePassword="$truststore_pass" \
-J-classpath "-J{usr_path}/java/1.8.0_201/Linux/lib/*:{usr_path}/java/1.8.0_201/Linux/jre/lib/*:{usr_path}/java/1.8.0_201/Linux/jre/lib/sdkms-jce-provider-bundled-4.24.2343.jar" \
-tsa 2> /dev/null | grep -i 'jar' )
We recently upgraded to a SLES 15 SP-5 build server and when the same command/script is executed on it, it fails with this error
jarsigner error: SDKMS Setup failed.
Assuming this to be caused by the version of the fortanix SDKMS provider, we even tried using the latest bundled sdkms-jce library from fortanix sdkms-jce-provider-bundled-4.36.2530.jar hosted here and ALSO using Java (openjdk) 11 instead of 8 but it failed again with the exact same error.
jarsigner error: SDKMS Setup failed.
Note: for the latter step we even tried editing the java.security file and adding fortanix.sdkms.jce as the primary security provider but for nothing to change.
security.provider.1=com.fortanix.sdkms.jce.provider.SdkmsJCE
My questions:
- What else can we try to make jarsigner work using fortanix.sdkms on SLES15?
- Is this jce jar even compatible with SUSE Linux ES 15 version?
- Any other alternatives that can be suggested to replace this incompatible jar to make jarsigner work on SLES 15? (Preferred at this point tbh)
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1744294175a4567179.html
评论列表(0条)