>>> The jarsigner from jdk9/dev can not, giving me the error >>> >>> jarsigner: unable to sign jar: javax.net.ssl.SSLException: >>> java.lang.RuntimeException: Unexpected error: >>> java.security.InvalidAlgorithmParameterException: the trustAnchors >>> parameter must be non-empty >>> >>> I’m unsure what that means, and searching for it has not turned up anything >>> useful except that it might be limited to Mac OS/X. If anyone can help me >>> here, I’d appreciate it. >> >> This means it could not find a trusted root CA from the cacerts file to >> validate the certificate chain. By default, OpenJDK includes an empty >> cacerts file. You need to do a jdk9 build with the closed sources, as that >> is where the trusted roots are. > > If this is the problem, I think it's a bug. When jarsigner is signing it uses > a key pair inside a keystone specified by -keystore. I don't see a reason why > cacerts must be populated.
I copied a cacerts file from an official Oracle early access release of JDK 9 and it started working. > > Can you add a -debug option to show the full exception stack info? I even > could not see how SSL is involved here. Would you still like me to do this?