Jarsigner: "This jar contains entries whose certificate chain is not validated."

java applet jarsigner

14,129

Solution 1

Thanks Andrew Thompson. I have unsigned my jar file, and found the bug. It's better unsigned you're right about this, because signing makes no point since I don't need to get out of the sandbox.

For the record, the bug was the use of the jnlp.jar library. In order to make it work, I launched the applet using jnlp/applet code instead of a standard tag.

Solution 2

Just one line answers you question I guess. And if you look closer you'll see it. Here it is

[certificate is valid from 17/08/11 17:32 to 24/07/11 17:32]

As I may hope, you know that today is not July 24 so you just have to re-sign your app

14,129

Author by

Joel

Updated on August 07, 2022

Comments

Joel almost 2 years

I get the following error on a self-signed jar:

jar verified.

Warning:
This jar contains entries whose certificate chain is not validated.

Re-run with the -verbose and -certs options for more details.

I signed the jar like this:

"C:\Program Files\Java\jdk1.7.0\bin\jarsigner" -keystore myKeyStore myJar.jar myAlias

My jar has 2 entry points: One for java web start, and one for an applet.

If I run the jar in a java web start way, it has no incidence.
But if I run the jar as an applet. I get a strong security warning at some point when I try to access a bitmap resource embeded in the jar.

Using the -verbose and -certs options shows a lot of lines. And I don't understand anything of this. This is the output: output.txt (part of the 6307 lines reproduced below).

s     157850 Tue Nov 08 12:57:44 CET 2011 META-INF/MANIFEST.MF

      X.509, O=keyja.com
      [certificate is valid from 17/08/11 17:32 to 24/07/11 17:32]
      [CertPath not validated: null]

      112909 Tue Nov 08 12:57:44 CET 2011 META-INF/KEYJA_CO.SF
        1108 Tue Nov 08 12:57:44 CET 2011 META-INF/KEYJA_CO.RSA
sm       180 Tue Nov 08 12:16:40 CET 2011 com/keyja/client/a/a/a/k.class

      X.509, O=keyja.com
      [certificate is valid from 17/08/11 17:32 to 24/07/11 17:32]
      [CertPath not validated: null]

sm       252 Tue Nov 08 12:16:40 CET 2011 com/keyja/client/a/a/a/r.class
...
(around 6000 lines of other output along the same lines)

  s = signature was verified 
  m = entry is listed in manifest
  k = at least one certificate was found in keystore
  i = at least one certificate was found in identity scope

jar verified.

Warning: 
This jar contains entries whose certificate chain is not validated.

How to sign the jar file ?

Joel over 12 years

It makes sense. I included a link to the output.
Andrew Thompson over 12 years

"If I run the jar in a java web start way, it has no incidence." What level of security permissions does the JWS launch request?
Andrew Thompson over 12 years

If the applet runs sand-boxed as well, why sign the code at all?
Joel over 12 years

because the applet doesn't work if i don't sign it. it should but it doesn't, for a reason I ignore.
Andrew Thompson over 12 years

let us continue this discussion in chat

John Haager over 12 years

If the certificate is no longer valid, then he will have to recreate the certificate to extend the valid time period.
Joel over 12 years

No, it's 24/07/2111, and it's valid.
user592704 over 12 years

I am just wondering... Is it valid from 17/08/2111 17:32 to 24/07/2111 17:32 ?
user592704 over 12 years

Could you provide the key and the cert validation dates?
Cute Bear almost 12 years

so how did you fix it? a little bit more detail please
Joel almost 12 years

I launched the applet using jnlp/applet code instead of a standard html applet tag. docs.oracle.com/javase/tutorial/deployment/deploymentInDepth‌/…