How do I sign a Java applet using a certificate in my Mac keychain?

Question

I have a self-signed root certificate with just the code signing extension (no other extensions) in my Mac keychain; I use it to sign all code coming out of ∞labs using Apple's codesign tool and it works great.

I was looking to expand myself a little and doing some Java development. I know Apple provides a KeyStore implementation that reads from the Keychain, and I can list all certificates I have in the 'chain with:

keytool -list -provider com.apple.crypto.provider.Apple -storetype KeychainStore -keystore NONE -v

However, whenever I try to use jarsigner to sign a simple test JAR file, I end up with:

$ jarsigner -keystore NONE -storetype KeychainStore -providerName Apple a.jar infinitelabs_codesigning_2
Enter Passphrase for keystore: <omitted>
jarsigner: Certificate chain not found for: infinitelabs_codesigning_2.  infinitelabs_codesigning_2 must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

What am I doing wrong?

(The certificate was created following Apple's instructions for obtaining a signing identity.)

Answer 1

I have been trying to do this as well. I went through a few contortions and, using Keystore Explorer and I lost my public key. Can I recover it from a private key? , I was able to extract the certificate, private key, and public key from the .keystore file and move them into an OSX keychain. Note that in this case I probably didn't need the public key.

If I give jarsigner the name of the private key (as opposed to the name of my self-signed certificate based on that key), then I get the error you mentioned.

My guess then is that your problem is one of the following

• Your keychain contains the cert but not the private key
• Your keychain contains the private key but not the cert
• "infinitelabs_codesigning_2" refers to the private key rather than the cert

I'm able to use your jarsigner command line (thanks!) and get correct results, which I checked with jarsigner -verify.

Answer 2

Have you tried to export the key from the apple keychain and import it via keytool? Perhaps Apple hasn't properly integrated keytool with their keychain (not like they have a stellar track record with supporting Java).

Edit:

Hmm... I just tried taking a key that worked from the java store that I imported into the apple keychain (has a private/public key) and it doesn't work. So ether my importing is wrong, you cannot access the apple Keychain in this way, or something else is going wrong :-)

Answer 3

I think that your keystore entry alias must be wrong. Are you using the alias name of a keystore object with an entry type of "keyEntry"? The same command works perfectly for me.

From the jarsigner man page:

When using jarsigner to sign a JAR file, you must specify the alias for the keystore entry containing the private key needed to generate the signature.