Jarsigner errors and solutions
The following errors may occur while signing with Jarsigner.
KeyStore load failed
Error message
jarsigner error: java.lang.RuntimeException: keystore load: load failed
Description
This error message occurs for general errors and may occur due to several reasons.
Solution
Use -verbose and -debug to get more detail on why the operation is failing.
Check the smpkcs11.log file.
Tip
To identify where your logs are located, run the following command in SMCTL:
echo %USERPROFILE%/.signingmanager/logs
For more information on how to interpret logs, refer to Signing errors.
CKR_FUNCTION_FAILED
Error message
CKR_FUNCTION_FAILED
Description
This error message is more of a general error and may occur due to several reasons.
Solution
Use -verbose and -debug to get more detail on why the operation is failing.
Check the smpkcs11.log file.
Tip
To identify where your logs are located, run the following command in SMCTL:
echo %USERPROFILE%/.signingmanager/logs
For more information on how to interpret logs, refer to Signing errors.
Signer’s certificate chain is invalid warning when signing and verifying a jar
Error message:
Warning: The signer's certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Description
This error message occurs when using a private trust for generating the certificate used in the sign operation and the root and intermediate certificates are not imported into JDK cacerts KeyStore.
Solution
Solve this error by using a public trust or importing the private trust root CA certificate and intermediate issuing CA certificate from the DigiCert ONE portal into JDK cacerts KeyStore.
Self-signed certificate warning
Error message: When signing Java files with jarsigner, using a certificate created with Java keytool, the jarsigner success message may include a warning:
Warning: The signer's certificate is self-signed.
Description
This error is due to some versions of keytool mistakenly marking the certificate as self-signed during creation, when the keystore that contains the signing certificate also contains the CA certificate from your DigiCert ONE account.
Solution
Create a new certificate using the same keypair in either:
DigiCert® Software Trust Manager
Provider "com.digicert.jce.Provider" not found
Error message
jarsigner error: java.lang.Exception: Provider "com.digicert.jce.Provider" not found
Description
This error message occurred because your API key and client authentication certificate password are stored in a properties file, Windows Credential Manager, Pass, or Keychain Access.
Solution
When signing relies on the JCE library, store your API key and client authentication certificate password using one of the following methods:
Session-based environment variables.
Persistent environment variables.
User is not multi-factor authenticated
Error message
jarsigner: unable to sign jar: feign.FeignException$Forbidden: [403 Forbidden] during [POST] to [https://clientauth.one.digicert.com/signingmanager/api/v1/keypairs/ab4edb6d-3cc5-44f8-8106-aa30b9edc72c/sign] [STM#sign(SignatureRequest,String)]: [{"error":{"status":"access_denied","message":"User is not multi-factor authenticated. Missing Client Authentication Certificate. As per compliance rules, user needs to be authenticated using multi-factor for performing sign operation."}}] Description
This error occurs when your API key or client authentication certificate password were not provided.
Solution
When signing relies on the JCE library, store your API key and client authentication certificate password using one of the following methods:
Session-based environment variables.
Persistent environment variables.
Opmerking
If you are not signing with the JCE library, follow one of these methods to configure your credentials.