Jarsigner is used to sign and verify .jar files. But while signing, some errors may occur. Here, we are going to discuss those errors along with their solutions.
KeyStore Load Failed
Error Message:
jarsigner error: java.lang.RuntimeException: keystore load: load failed
Solution:
- To find out why the operation is failing, use -verbose and -debug.
- Check the smpkcs11.log file. Run the command below in SMCTL to find the location of the logs.
echo %USERPROFILE%/.signingmanager/logs
CKR_FUNCTION_FAILED
Error Message:
CKR_FUNCTION_FAILED
Solution:
- To find out why the operation is failing, use -verbose and -debug.
- Check the smpkcs11.log file. Run the below command in SMCTL to find where the logs are located.
echo %USERPROFILE%/.signingmanager/logs
Self-signed Certificate Warning
Error Message:
The signer’s certificate is self-signed.
This warning occurs when signing Java files using jarsigner with a certificate generated using Java’s key tool. It happens because certain versions of Keytool wrongly label the certificate as self-signed during creation.
Solution:
To resolve this issue, you should create a new certificate using the same key pair. You can either generate a new certificate or reissue the certificate.
The signer’s certificate chain is an invalid warning when signing and verifying a jar
Error Message:
The signer’s certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This error occurs when an individual uses a private trust for generating the certificate used in the signing operation, and the necessary root and intermediate certificates are not imported into the JDK cacerts KeyStore.
Solution:
This error can be resolved in the below two ways.
- Switch to a public trust for generating the certificate used in the signing operation.
- Import Root and Intermediate Certificates ## The user is not multi-factor authenticated ### Error Message: jarsigner: unable to sign jar: feign.FeignException$Forbidden: [403 Forbidden] during [POST] to [https://clientauth.one.digicert.com/signingmanager/api/v1/keypairs/ab4edb6d-3cc5-44f8-8106-aa30b9edc72c/sign] [STM#sign(SignatureRequest, String)]: [{“error”:{“status”: “access_denied”, “message”: “User is not multi-factor authenticated. Missing Client Authentication Certificate. As per compliance rules, the user needs to be authenticated using multi-factor for performing sign operation.”}}]
This error arises when the API key or client authentication certificate password required for signing is not provided.
Solutions:
When the signing process depends on the Java Cryptography Extension (JCE) library, you must store your API key and client authentication certificate password.
You can do this using one of the following methods:
- Session-based environment variables
- Persistent environment variables You can also cover the process of How to Configure Luna HSM and Sign JAR File?
Top comments (0)