> 在 2015年10月1日,上午2:51,Sean Mullan <sean.mul...@oracle.com> 写道: > >> The jarsigner from jdk9/dev can not, giving me the error >> >> jarsigner: unable to sign jar: javax.net.ssl.SSLException: >> java.lang.RuntimeException: Unexpected error: >> java.security.InvalidAlgorithmParameterException: the trustAnchors parameter >> must be non-empty >> >> I’m unsure what that means, and searching for it has not turned up anything >> useful except that it might be limited to Mac OS/X. If anyone can help me >> here, I’d appreciate it. > > This means it could not find a trusted root CA from the cacerts file to > validate the certificate chain. By default, OpenJDK includes an empty cacerts > file. You need to do a jdk9 build with the closed sources, as that is where > the trusted roots are.
If this is the problem, I think it's a bug. When jarsigner is signing it uses a key pair inside a keystone specified by -keystore. I don't see a reason why cacerts must be populated. Can you add a -debug option to show the full exception stack info? I even could not see how SSL is involved here. Thanks Max