jarsigner: This jar contains entries whose certificate chain is not validated
I have been having the same issue and if it can help others the problem is in how jarsigner finds the keystore.
In order to fix the issue do:
jarsigner -verify -keystore xxxx.jks mysignedjar.jar
You are not missing anything and you are definitely not alone with this problem. After a struggle of almost 12 hours, I figured out that the root of the problem lies in mixing binaries from JDK 1.7
with an older version of Java such as JRE-1.6
. To be more precise, keytool
comes with JRE
, while JDK
ships with both keytool
and jarsigner
.
So, to resolve the issue, I have completely uninstalled JDK-1.7
from my system and installed JDK-1.6 Update 30
. Now, if I would do jarsigner -verify -verbose -certs blah.jar
it would produce jar verified
without any warning which I believe is what you expect.
It's just a warning you can ignore.
If you really don't want to ignore it then tell jarsigner where your keystore is when you verify.
jarsigner -verbose -verify -keystore ${KEYSTORE_PATH} ${YOUR_JAR_FILE}
This is just a new feature in JDK 7.