Signing jars with new certificate

Help
2010-11-23
2013-06-06
  • Zlatan Momic
    Zlatan Momic
    2010-11-23

    Hi, I downloaded and build stendhal with dist ant target, signed jars using certificate that was generated by keytool -genkey. Idea was to see how JNLP works with stendhal locally. And everything went ok. Even updates have worked correctly. But keytool says that certificate will expire within six months. So I decided to generate another fresh certificate. But then after rebuilding new jars, signing with the new certificate and deploying the update, client generate exception “signer information does not match signer information of other classes in the same package”. So, as far as I can see, problem is some old client jar files are signed with old certificate and latest client update jar files are signed with new certificate.

    Going back to old certificate solves the problem but what when original certificate expires?

    When renewing/changing certificate do I need to sign again all of my old update jar files? But that will change their size and I should change update.properties again. And still that does not solves the problem at client side because there will be jars signed by an old certificate. What am I missing here? Only solution I can see is new initial download of freshly signed jar files and marking previous versions as OUTDATED.
    Here is exception output:

    java.lang.SecurityException: class "games.stendhal.client.update.HttpClient"'s signer information does not match signer information of other classes in the same package
        at java.lang.ClassLoader.checkCerts(ClassLoader.java:787)
        at java.lang.ClassLoader.preDefineClass(ClassLoader.java:502)
        at java.lang.ClassLoader.defineClass(ClassLoader.java:628)
        at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
        at java.net.URLClassLoader.defineClass(URLClassLoader.java:277)
        at java.net.URLClassLoader.access$000(URLClassLoader.java:73)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:212)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
        at games.stendhal.client.update.Bootstrap$BottomUpOrderClassLoader.loadClass(Bootstrap.java:62)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:266)
        at games.stendhal.client.update.UpdateManager.init(UpdateManager.java:44)
        at games.stendhal.client.update.UpdateManager.process(UpdateManager.java:67)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at games.stendhal.client.update.Bootstrap$PrivilegedBoot.handleUpdate(Bootstrap.java:224)
        at games.stendhal.client.update.Bootstrap$PrivilegedBoot.run(Bootstrap.java:265)
        at java.security.AccessController.doPrivileged(Native Method)
        at games.stendhal.client.update.Bootstrap.boot(Bootstrap.java:307)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at games.stendhal.client.update.ClientRunner.run(ClientRunner.java:54)
        at games.stendhal.client.update.Starter.main(Starter.java:45)
    
     
  • Katie Russell
    Katie Russell
    2010-11-24

    Hi,

    For the main server updater package we too sign our jars.

    The original certificate we had expired and that was still useable: players just got a warning that it was expired, but they could still accept it. So your certificate expiring will not stop people updating.

    We wanted to get a new certificate and sign the package with both certificates - the old one, so that old downloads could update, and the new one, for new downloads. But we found that BOTH certificates were then checked. Which wasn't acceptable for our needs.

    The only way seems to be, a new download of the initial package for all players, when you want to change certificate. Which is the conclusion you also came to.

     


Anonymous


Cancel   Add attachments