Jarsigner Errors and Solutions

Certificate Chain Not Found Error

Error Message
jarsigner: Certificate chain not found for: <Certificate Alias>.  <Certificate Alias> CA must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

Problem

This error message appears when the Certificate Alias provided is incorrect or the certificate corresponding to the alias has been deleted in the Windows Key Storage. Without a valid alias referencing a certificate entry the signing process cannot proceed.

Solution

To resolve this issue, follow these steps:
  1. Verify the Certificate Alias: Ensure that the Certificate Alias provided in the command matches the one that was generated in the README.
  2. Reinstall the Required Certificates:
    • If the certificate is missing or was deleted, rerun the SIGN+ Installer to reinstall the necessary certificates.
    • Ensure the installer completes successfully without errors.
  3. Retry the Command:
    • After verifying or reinstalling the certificate, reattempt the command with the correct alias.

Signer’s certificate chain is invalid warning when signing and verifying a jar

Error Message
Warning:
The signer's certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Problem

This warning occurs when signing or verifying a JAR file using a certificate generated with a private trust. The issue arises because the root and intermediate certificates associated with the private trust have not been imported into the JDK cacerts KeyStore. Without these certificates, the Java security framework cannot validate the certificate chain, leading to the invalid chain warning.

Solution

To resolve this warning, you can either:
  1. Use a Public Trust:
    • Use certificates issued by a publicly trusted Certificate Authority (CA). These public CAs are already included in the JDK cacerts KeyStore by default, ensuring that the certificate chain can be validated without additional configuration.
  2. Import Certificates into the JDK cacerts KeyStore:
    • If using a private trust, manually import the Root CA certificate and the Intermediate Issuing CA certificate into the JDK cacerts KeyStore.

Jarsigner: Not a Private Key

Error Message
jarsigner: key associated with <Certificate Alias> not a private key

Problem

This error occurs when the AppViewX CSP Library or its dependent library files are missing or have been deleted. Without these libraries, the system cannot access or associate the private key required for the signing operation.

Solution

To resolve this error, follow these steps:
  1. Reinstall the AppViewX CSP Library:
    • Locate the SIGN+_Package that was previously downloaded.
    • Run the SIGN+_Installer included in the package. This installer will reinstall and restore the required library files, including the AppViewX CSP Library and its dependencies.
  2. Retry the Signing Command: After the installation is complete, rerun the signing command that was generated in the README.

Java: ProviderException

Error Message

Jarsigner with PKCS#11 Windows
jarsigner error: java.security.ProviderException: Library C:\Windows\System32\AVXPKCS11V1.dll does not exist
Jarsigner with PKCS#11 Linux
jarsigner error: java.lang.reflect.InvocationTargetException
JSign and APKSigner with PKCS#11
java.security.ProviderException: Failed to create a SunPKCS11 provider from the configuration <Path to AVXPKCS11V1.cfg>

Problem

These error messages occur when the AppViewX PKCS#11 Library or its dependent library files are missing, have been deleted, or have been moved from their original installation location. This prevents the signing tools or PKCS11? from accessing the necessary libraries for PKCS#11 operations.

Solution
  1. Locate the SIGN+_Package that contains the SIGN+_Installer.
  2. Run the SIGN+_Installer to reinstall and restore the AppViewX PKCS#11 Library along with its dependencies. This step will ensure that:
    • The required files (e.g., AVXPKCS11V1.dll for Windows or equivalent libraries for Linux) are copied to their correct locations.
    • The configuration file (AVXPKCS11V1.cfg) is updated and correctly placed.
  3. Verify Library Installation: After running the installer, ensure that:
    • On Windows, the AVXPKCS11V1.dll file is present in the C:\Windows\System32\ directory.
    • On Linux, verify the location of the PKCS#11 library file and ensure the configuration file path matches the installation.
  4. Retry the Signing Command: Execute the signing command again with the correct configuration and library paths that’s generated in the README.