jarsigner: This jar contains entries whose certificate chain is not validated

I have been having the same issue and if it can help others the problem is in how jarsigner finds the keystore.

In order to fix the issue do:

jarsigner -verify -keystore xxxx.jks mysignedjar.jar

You are not missing anything and you are definitely not alone with this problem. After a struggle of almost 12 hours, I figured out that the root of the problem lies in mixing binaries from JDK 1.7 with an older version of Java such as JRE-1.6. To be more precise, keytool comes with JRE, while JDK ships with both keytool and jarsigner.

So, to resolve the issue, I have completely uninstalled JDK-1.7 from my system and installed JDK-1.6 Update 30. Now, if I would do jarsigner -verify -verbose -certs blah.jar it would produce jar verified without any warning which I believe is what you expect.


It's just a warning you can ignore.

If you really don't want to ignore it then tell jarsigner where your keystore is when you verify.

jarsigner -verbose -verify -keystore ${KEYSTORE_PATH} ${YOUR_JAR_FILE}

This is just a new feature in JDK 7.