java – 具有https tsa的JDK 1.7 jarsigner不再有效

使用7u80 jarsigner不再有效,而且几天前工作正常.

/usr/java/jdk1.7.0_80/jre/../bin/jarsigner -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp
jarsigner: unable to sign jar: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

在删除旧证书后,我尝试将Thawtes Timestamping CA证书导入cacerts.

wget https://www.thawte.com/roots/Thawte_Timestamping_CA.pem

/usr/java/jdk1.7.0_80/bin/keytool -import -trustcacerts -alias verisigntsaca -file Thawte_Timestamping_CA.pem -keystore jre/lib/security/cacerts 
Enter keystore password:  
Trust this certificate? [no]:  yes
Certificate was added to keystore

使用JDK 8u60的jarsigner工作,所以我试图将它的cacerts复制到JDK7,但这也不起作用.

由于Javadoc错误,我们无法使用Java 8进行编译.我看到的唯一解决方案是在JDK7中创建符号链接到JDK8 jarsigner.

/usr/java/jdk1.8.0_60/jre/../bin/jarsigner -keystore /home/build/keystore.p12 -storepass storepass -storetype pkcs12 -tsa https://timestamp.geotrust.com/tsa /home/build/jenkins/workspace/my-gui/target/my-gui-3.0.29-SNAPSHOT.jar comp
jar signed.

如果我将tsa从geotrust切换到digicert,它可以正常使用JDK 7,因为它们不使用https.
http://timestamp.digicert.com/