RFR - 8132734: java.util.jar.* changes to support multi-release jar files

Steve Drach steve.drach at oracle.com
Thu Oct 1 00:21:39 UTC 2015

>>> The jarsigner from jdk9/dev can not, giving me the error
>>> jarsigner: unable to sign jar: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
>>> I’m unsure what that means, and searching for it has not turned up anything useful except that it might be limited to Mac OS/X.  If anyone can help me here, I’d appreciate it.
>> This means it could not find a trusted root CA from the cacerts file to validate the certificate chain. By default, OpenJDK includes an empty cacerts file. You need to do a jdk9 build with the closed sources, as that is where the trusted roots are.
> If this is the problem, I think it's a bug. When jarsigner is signing it uses a key pair inside a keystone specified by -keystore. I don't see a reason why cacerts must be populated.

I copied a cacerts file from an official Oracle early access release of JDK 9 and it started working.

> Can you add a -debug option to show the full exception stack info? I even could not see how SSL is involved here.

Would you still like me to do this?

More information about the core-libs-dev mailing list