jarsigner is not working in java , therefor the build fails

Question

jarsigner is not working in java , therefor the build fails

  [signjar] jarsigner: unable to sign jar: no response from the Timestamping Authority. When connecting from behind a firewall an HTTP or HTTPS proxy may need to be specified. Supply the following options to jarsigner:
  [signjar]   -J-Dhttp.proxyHost=<hostname>
  [signjar]   -J-Dhttp.proxyPort=<portnumber>
  [signjar] or
  [signjar]   -J-Dhttps.proxyHost=<hostname> 
  [signjar]   -J-Dhttps.proxyPort=<portnumber> 

There is no error in the project build path. All the dependencies are imported in the build path.

Answer 1

Here's the problem as I understand it:

• Your are attempting to build a project with an Ant "build.xml" file.
• You are running the build from within Eclipse.
• You are running Eclipse in a VM that has no internet access.
• The build fails during JAR signing when jarsigner attempts to talk to a time stamp authority (TSA). Internet access is required to talk to a TSA.

Also I am not sure why is this error encountered.

It is because you are trying to use signature timestamps, and your build system doen't have direct internet access, and you haven't provided a http or https proxy in the appropriate fashion for jarsigner to use.

---

There are a couple of ways to solve this. (The following is based on the documentation. I haven't tested this.)

If you have an internet proxy available:

• The simplest way is to edit the "signjar" task in your "build.xml" and add "tsaproxyhost" and "tsaproxyport" attributes as described in the Ant manual.

• If you are building on the command line¹, you should just be able to follow Ant instructions for Proxy Configuration. (There are two approaches ...)

• If you are running the build using Eclipse, then you could find the Eclipse "runner" configuration that is used to run Ant, and then add command line as per the previous bullet.

(I think that the error message that talks about -J-D... options is coming from the jarsigner utility itself. That advice is only directly applicable if you are running jarsigner directly from the command line. That is, of course, another option.)

If you don't have a working proxy (or you are just fed up) the other alternative is to edit the "signjar" task to disable signing. Removing the "tsaurl" and "tsacert" attributes should do it.

Disabling timestamps will give you a signed JAR without signature timestamps. The significance is explained by the Oracle Signature Timestamp Support documentation:

"Prior to J2SE 5.0, the signature generated by jarsigner contained no information about w hen the signature was generated. With no other information available, systems/deployers (including users of the Java Plug-in) often based their validity assessment of a signed JAR file on the validity of the signing certificate. When the signing certificate expires, systems/deployers conclude that the signature, and hence, the JAR file, has expired. Because signing certificates typically expire annually, this caused customers significant problems by forcing them to re-sign deployed JAR files annually.

Starting in J2SE 5.0, jarsigner can generate signatures that include a timestamp, thus enabling systems/deployer (including Java Plug-in) to check whether the JAR file was signed while the signing certificate was still valid. In addition, APIs were added in J2SE 5.0 to allow applications to obtain the timestamp information."

---

^{1 - I recommend you download and install a free-standing Ant, so that you can run builds from command line.}