RFR - 8132734: java.util.jar.* changes to support multi-release jar files

Wang Weijun weijun.wang at oracle.com
Wed Sep 30 23:35:44 UTC 2015

> 在 2015年10月1日,上午2:51,Sean Mullan <sean.mullan at oracle.com> 写道:
>> The jarsigner from jdk9/dev can not, giving me the error
>> jarsigner: unable to sign jar: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
>> I’m unsure what that means, and searching for it has not turned up anything useful except that it might be limited to Mac OS/X.  If anyone can help me here, I’d appreciate it.
> This means it could not find a trusted root CA from the cacerts file to validate the certificate chain. By default, OpenJDK includes an empty cacerts file. You need to do a jdk9 build with the closed sources, as that is where the trusted roots are.

If this is the problem, I think it's a bug. When jarsigner is signing it uses a key pair inside a keystone specified by -keystore. I don't see a reason why cacerts must be populated.

Can you add a -debug option to show the full exception stack info? I even could not see how SSL is involved here.


More information about the core-libs-dev mailing list