The following errors may occur while signing with Jarsigner.
Error message
jarsigner error: java.lang.RuntimeException: keystore load: load failed
This error message occurs for general errors and may occur due to several reasons.
Use -verbose and -debug to get more detail on why the operation is failing.
Check the smpkcs11.log file.
To identify where your logs are located, run the following command in SMCTL:
echo %USERPROFILE%/.signingmanager/logs
For more information on how to interpret logs, refer to Signing errors.
Error message
This error message is more of a general error and may occur due to several reasons.
Use -verbose and -debug to get more detail on why the operation is failing.
Check the smpkcs11.log file.
To identify where your logs are located, run the following command in SMCTL:
echo %USERPROFILE%/.signingmanager/logs
For more information on how to interpret logs, refer to Signing errors.
Error message:
The signer's certificate chain is invalid. Reason: PKIX path building failed: unable to find valid certification path to requested target
This error message occurs when using a private trust for generating the certificate used in the sign operation and the root and intermediate certificates are not imported into JDK cacerts KeyStore.
Solve this error by using a public trust or importing the private trust root CA certificate and intermediate issuing CA certificate from the DigiCert ONE portal into JDK cacerts KeyStore.
Error message: When signing Java files with jarsigner, using a certificate created with Java keytool, the jarsigner success message may include a warning:
The signer's certificate is self-signed.
This error is due to some versions of keytool mistakenly marking the certificate as self-signed during creation, when the keystore that contains the signing certificate also contains the CA certificate from your DigiCert ONE account.
Create a new certificate using the same keypair in either:
DigiCert® Software Trust Manager
Error message
jarsigner error: java.lang.Exception: Provider "com.digicert.jce.Provider" not found
This error message occurred because your API key and client authentication certificate password are stored in a properties file, Windows Credential Manager, Pass, or Keychain Access.
When signing relies on the JCE library, store your API key and client authentication certificate password using one of the following methods:
Session-based environment variables.
Persistent environment variables.
Error message
jarsigner: unable to sign jar: feign.FeignException$Forbidden: [403 Forbidden] during [POST] to [] [STM#sign(SignatureRequest,String)]: [{"error":{"status":"access_denied","message":"User is not multi-factor authenticated. Missing Client Authentication Certificate. As per compliance rules, user needs to be authenticated using multi-factor for performing sign operation."}}]
This error occurs when your API key or client authentication certificate password were not provided.
When signing relies on the JCE library, store your API key and client authentication certificate password using one of the following methods:
Session-based environment variables.
Persistent environment variables.
If you are not signing with the JCE library, follow one of these methods to configure your credentials.