Skip to main content

Jarsigner errors and solutions

The following errors may occur while signing with Jarsigner.

KeyStore load failed

Error message

jarsigner error: java.lang.RuntimeException: keystore load: load failed

Description

This error message occurs for general errors and may occur due to several reasons.

Solution

  1. Use -verbose and -debug to get more detail on why the operation is failing.

  2. Check the smpkcs11.log file.

    Dica

    To identify where your logs are located, run the following command in SMCTL:

    echo %USERPROFILE%/.signingmanager/logs

    For more information on how to interpret logs, refer to Signing errors.

CKR_FUNCTION_FAILED

Error message

CKR_FUNCTION_FAILED

Description

This error message is more of a general error and may occur due to several reasons.

Solution

  1. Use -verbose and -debug to get more detail on why the operation is failing.

  2. Check the smpkcs11.log file.

    Dica

    To identify where your logs are located, run the following command in SMCTL:

    echo %USERPROFILE%/.signingmanager/logs

    For more information on how to interpret logs, refer to Signing errors.

Signer’s certificate chain is invalid warning when signing and verifying a jar

Error message:

Warning:
The signer's certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Description

This error message occurs when using a private trust for generating the certificate used in the sign operation and the root and intermediate certificates are not imported into JDK cacerts KeyStore.

Solution

Solve this error by using a public trust or importing the private trust root CA certificate and intermediate issuing CA certificate from the DigiCert ONE portal into JDK cacerts KeyStore.

Self-signed certificate warning

Error message: When signing Java files with jarsigner, using a certificate created with Java keytool, the jarsigner success message may include a warning:

Warning:
The signer's certificate is self-signed.

Description

This error is due to some versions of keytool mistakenly marking the certificate as self-signed during creation, when the keystore that contains the signing certificate also contains the CA certificate from your DigiCert ONE account.

 

Solution

Create a new certificate using the same keypair in either:

Provider "com.digicert.jce.Provider" not found

Error message

jarsigner error: java.lang.Exception: Provider "com.digicert.jce.Provider" not found

Description

This error message occurred because your API key and client authentication certificate password are stored in a properties file, Windows Credential Manager, Pass, or Keychain Access.

Solution

When signing relies on the JCE library, store your API key and client authentication certificate password using one of the following methods:

  • Session-based environment variables.

  • Persistent environment variables.

User is not multi-factor authenticated

Error message

jarsigner: unable to sign jar: feign.FeignException$Forbidden: [403 Forbidden] during [POST] to [https://clientauth.one.digicert.com/signingmanager/api/v1/keypairs/ab4edb6d-3cc5-44f8-8106-aa30b9edc72c/sign] [STM#sign(SignatureRequest,String)]: [{"error":{"status":"access_denied","message":"User is not multi-factor authenticated. Missing Client Authentication Certificate. As per compliance rules, user needs to be authenticated using multi-factor for performing sign operation."}}] 

Description

This error occurs when your API key or client authentication certificate password were not provided.

Solution

When signing relies on the JCE library, store your API key and client authentication certificate password using one of the following methods:

  • Session-based environment variables.

  • Persistent environment variables.

Nota

If you are not signing with the JCE library, follow one of these methods to configure your credentials.