I'm trying to download the Windows Java EE installer from Oracle's website but I continually receive "The digital signature of the object did not verify" error messages when I check the digital signature of the downloaded file.

I've tried the following searches on this site (and similar searches on Google with no success):

1. java ee +"digital signature" +"did not verify"
   • 1 unrelated result
2. java ee +"digital signature" +invalid
   • 2 unrelated results

I've downloaded the files on 3 separate machines, where each is running a different version of Windows (WinXP 32-bit, WinVista 32-bit & Win7 64-bit) and I get the same result. The machine running WinXP is my laptop, which I have tried on 2 completely different networks to download the files without success.

The files I have downloaded are (along with the certificate's serial number and thumbprint and whether the signature was valid):

• java_ee_sdk-6u3-jdk7-windows.exe
  • Signature does not verify
  • Serial Number: 5e f1 dc 1e fb 1e 46 b5 de 80 ed e1 76 2a 55 a7
  • Thumbprint: 9e 2b 73 43 3c 7f f0 be 9c 2e 54 6c 46 a3 d1 6a 6c da cf 32
• java_ee_sdk-6u3-windows.exe
  • Signature does not verify
  • Serial Number: 5e f1 dc 1e fb 1e 46 b5 de 80 ed e1 76 2a 55 a7
  • Thumbprint: 9e 2b 73 43 3c 7f f0 be 9c 2e 54 6c 46 a3 d1 6a 6c da cf 32
• jdk-7-windows-i586.exe
  • Signature verifies
  • Serial Number: 5e f1 dc 1e fb 1e 46 b5 de 80 ed e1 76 2a 55 a7
  • Thumbprint: 9e 2b 73 43 3c 7f f0 be 9c 2e 54 6c 46 a3 d1 6a 6c da cf 32
• jdk-7-windows-x64.exe
  • Signature verifies
  • Serial Number: 5e f1 dc 1e fb 1e 46 b5 de 80 ed e1 76 2a 55 a7
  • Thumbprint: 9e 2b 73 43 3c 7f f0 be 9c 2e 54 6c 46 a3 d1 6a 6c da cf 32

I downloaded the JDK 7 installers as a comparison and their signatures verify. As you can see by the serial numbers and thumbprints above, all the files are signed with the same certificate. However, the Java EE installers fail signature verification.

The fact that I can download both the JDK 7 installer and the Java EE installer on the same machine, on the same network, with both files being signed by the same certificate, and have different signature verification results would seem to imply that the Java EE installer was corrupted between being signed by Oracle and being received by me.

This seems to rule out a certificate problem on my machines (since I can verify the JDK 7 file - which is signed by the same certificate) and point to either a man-in-the-middle attack, or a corrupted file on the server. However, if Oracle were pushing out a corrupted file, I'm sure I would have found mention of it - since this problem has been occurring for the past couple of weeks.

The likelihood of a man-in-the-middle attack would appear to be reduced by the fact that the issue occurs when using different networks.

I've tried everything that I can think of and have come up empty.

Is anyone aware of others having this issue and more importantly, does anyone have any suggestions as to what may be causing this?

I found this question in a search prompted by the same problem after downloading java_ee_sdk-6u4-jdk7-windows-ml.exe; it looks like the countersigner certificate is expired. In Windows Explorer:

• Select File > Properties for the file
• Open the Digital Signatures tab
• Select Oracle America in the signature list
• Click Details
• Select VeriSign Time Stamping Services Signer - G2 in the Countersignatures list
• Click Details
• Click View Certificate
• Note Valid to date is 6/14/2012.

That was obviously not the specific problem for SlaY3R in September 2011, but it may have been a different expired cert in the cert path.

Something to consider...

This is isn't specific to the Java issue, but we see the same error when verifying signatures on an .msi we install. I ran 'signtool verify /v ' and discovered that one of the certs in the trust chain wasn't trusted on my system. The explorer's file->properties UI doesn't expose this issue, but the signtool did.

Now I need to d/l and install some CA certs into our trust list to clear the issue.