Hello, It is a bit unfortunate but the JCE Codesigning Roots are not part of the cacerts file. They are hardcoded in the Oracle JDK and not present in OpenJDK as far as I understand it.
It is documented here, that those CAs are not available for general deployments: https://www.oracle.com/java/technologies/javase/getcodesigningcertificate.html Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: security-dev <security-dev-r...@openjdk.java.net> im Auftrag von Raj Arora <raj.arora.sw....@gmail.com> Gesendet: Wednesday, December 2, 2020 8:29:28 PM An: security-dev@openjdk.java.net <security-dev@openjdk.java.net> Betreff: jar signing and verification Hi In attempting to validate jar signing I am seeing warnings as such displaying Invalid certificate chain ----------------------- >jarsigner -verify -certs bcprov-jdk15on-1.66.jar s 606774 Sat Jul 04 15:48:42 EDT 2020 META-INF/MANIFEST.MF >>> Signer X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code Signing, O=Sun Microsystems Inc [certificate expired on 4/25/20 3:00 AM] X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US [certificate expired on 4/25/20 3:00 AM] [Invalid certificate chain: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] >>> Signer X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code Signing, O=Oracle Corporation [certificate is valid from 3/10/17 8:07 PM to 3/10/22 8:07 PM] X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Oracle Corporation [certificate is valid from 7/6/16 7:48 PM to 12/30/30 7:00 PM] [Invalid certificate chain: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] ----------------------- jarsigner -keystore ...\jre\lib\security\cacerts -verify -verbose -certs bcprov-jdk15on-1.66.jar >out.txt s 606774 Sat Jul 04 15:48:42 EDT 2020 META-INF/MANIFEST.MF X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code Signing, O=Sun Microsystems Inc [certificate expired on 4/25/20 3:00 AM] X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US [certificate expired on 4/25/20 3:00 AM] [CertPath not validated: Path does not chain with any of the trust anchors] [entry was signed on 7/4/20 1:48 AM] X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code Signing, O=Oracle Corporation [certificate is valid from 3/10/17 8:07 PM to 3/10/22 8:07 PM] X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Oracle Corporation [certificate is valid from 7/6/16 7:48 PM to 12/30/30 7:00 PM] [CertPath not validated: Path does not chain with any of the trust anchors] ----------------------- Why do we get warnings of "Invalid certificate chain"? (I do not believe it's related to the expired warning as I see newer jars exhibiting the same outcome without an expired notice) Is the jar incorrectly signed or is the required chain simply not found in cacerts and if so why is it not there. I do see that at the end of the listing it says "jar verified" The samples in https://docs.oracle.com/en/java/javase/15/docs/specs/man/jarsigner.html#errors-and-warnings seem to show a fully validated chain. thanks Raj
