Fix updater and signature verification

README.md

@@ -5,19 +5,16 @@ This plugin adds naturally spawning Giants with AI to your Minecraft server.
 ### Signing
 Public key goes into `resources/verifies_downloaded_jars.pem`
 
-A test (and default) keystore is provided:
-- keystore: `testkeystore`
-- storepass: `123456`
-- alias: `testkey`
-
-When using `mvn`, override with `-Djarsigner.`
-```
-mvn clean package -Djarsigner.keystore=/home/user/mykeystore.jks -Djarsigner.alias=mykey
-```
+A default keystore is not provided.
 
 To create a keystore and export public key:
 ```
 keytool -keystore testkeystore2.jks -genkeypair -keyalg RSA -alias testkey -validity 999999
 keytool -exportcert -alias testkey -keystore testkeystore2.jks -file cert.cer -rfc
 openssl x509 -inform pem -in cert.cer -pubkey -noout > public_key.pem
+```
+
+When using `mvn`, override with `-Djarsigner.`
+```
+mvn clean package -Djarsigner.keystore=/home/user/mykeystore.jks -Djarsigner.alias=mykey
 ```

pom.xml

@@ -6,8 +6,8 @@
 
   <properties>
     <maven.compiler.release>11</maven.compiler.release>
-    <jarsigner.keystore>${project.basedir}/testkeystore.jks</jarsigner.keystore>
-    <jarsigner.alias>testkey</jarsigner.alias>
+    <jarsigner.keystore>${project.basedir}/keystore.jks</jarsigner.keystore>
+    <jarsigner.alias>mykey</jarsigner.alias>
     <jarsigner.storepass>123456</jarsigner.storepass>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>

src/main/java/eu/m724/giants/updater/JarVerifier.java

@@ -7,10 +7,13 @@ import java.security.GeneralSecurityException;
 import java.security.KeyFactory;
 import java.security.PublicKey;
 import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPublicKey;
 import java.security.spec.X509EncodedKeySpec;
+import java.util.ArrayList;
 import java.util.Base64;
 import java.util.Enumeration;
+import java.util.List;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 import java.util.jar.Manifest;
@@ -96,11 +99,14 @@ public class JarVerifier {
 
                     // Check if any signer's public key matches our RSA key
                     boolean keyMatch = false;
+                    List<String> signerPublicKeys = new ArrayList<>();
+
                     for (CodeSigner signer : signers) {
                         for (Certificate cert : signer.getSignerCertPath().getCertificates()) {
                             PublicKey certPublicKey = cert.getPublicKey();
                             if (certPublicKey instanceof RSAPublicKey) {
                                 RSAPublicKey rsaKey = (RSAPublicKey) certPublicKey;
+                                signerPublicKeys.add(Base64.getEncoder().encodeToString(rsaKey.getEncoded()));
                                 if (rsaKey.getModulus().equals(publicKey.getModulus()) &&
                                         rsaKey.getPublicExponent().equals(publicKey.getPublicExponent())) {
                                     keyMatch = true;
@@ -112,7 +118,7 @@ public class JarVerifier {
                     }
 
                     if (!keyMatch) {
-                        throw new VerificationException("Entry not signed with matching RSA key: " + entry.getName());
+                        throw new VerificationException("Entry " + entry.getName() + " signed with " + String.join(", ", signerPublicKeys) + ", none of which match " + Base64.getEncoder().encodeToString(publicKey.getEncoded()));
                     }
                 }
             }