On 19.05.2016 14:05, Andreas Sewe wrote: > FYI, removal of the "Thawte Premium Server CA" causes problems not only > with openssl, but also when Java verifies certificates (e.g., when > installing signed plugins in the Eclipse IDE).
I think this is a separate issue with jarsigner not the ca-certificates package. > Note, however, that it doesn't find the "thawte Primary Root CA" > *intermediate* certificate in its keystore, as no alias (like for > "(thawtepremiumserverca)") is shown. > > However, the keystore shipped with Debian 8.4 *does* contain that > intermediate certificate: I think the tool can't find the "thawte Premium Server CA" certificate (which was removed from ca-certificates) which is the old Root certificate. But of course the "Thawte Primary Root CA" is still part of ca-certificates because it is the "new" certificate. Both root certs are eligible to certify your code signing intermediate certificate. You only need one of the two certificates to be in the certificate store to verify the intermediate, yet jarsigner wants to have both. This sounds more like a problem with jarsigner which can not recognize alternative certification chains. Much like the problem openssl has in the current version in stable. Regards Christian
