DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Troubleshoot KeyLocker for JarSigner using the Java Cryptography Extension (JCE) Library

Solution ID : TB11
Last Modified : 10/02/2024

 

This article will assist you to troubleshoot common warning and error messages associated with KeyLocker and JarSigner. Included are errors which are displayed when running a healthcheck as well as during file signing.

Healthcheck Errors:

 

Your client certificate path or password is incorrect. You will not be able to complete specific actions (such as sign, generate keypairs and approve releases) until these credentials are corrected.

This error can occur if the path set in your Environment Variables is incorrect.

Open your Environment Variables and ensure that the following variable is correct:

  • Variable name: SM_CLIENT_CERT_FILE
  • Variable value: C:\clientcertpath\Certificate_pkcs12.p12

 

Another reason for this error is the use of an incorrect client certificate password.

  • Run the following command to delete your credentials: smctl credentials delete
  • Add your credentials again as follows: smctl credentials save <API token> <client certificate password>

 

A third possible cause is that the client certificate was generated and encrypted using AES and a SHA-256 signature hash. This is not supported by older versions of Windows.

  • Generate a new client certificate and select AES with a SHA-1 signature hash or select 3DES encryption.



Status: Connection failed

This error can be caused by using an invalid API key.

  • Ensure that you have entered the correct API key string. This is displayed in the healthcheck results under Credentials.
  • If the API key string is incorrect, delete the existing credentials by running the following command: smctl credentials delete
  • Once the credentials have been deleted, add the correct credentials by running this command: smctl credentials save <API token> <client certificate password>

 

Jarsigner: Mapped: No

This status means that DigiCert KeyLocker Tools is unable to locate the path to jarsigner.exe.

  • Check your Environment Variables and ensure that the correct path to JarSigner has been added.
  • The default path for SignTool is C:\Program Files\Java\xxxx\bin where xxxx is the version number.
  • For example: C:\Program Files\Java\jdk-17\bin

JarSigner Errors:

 

jarsigner error: feign.FeignException$Unauthorized: [401 Unauthorized] during [GET] to [https://clientauth.one.digicert.com/signingmanager/api/v1/keypairs?offset=0&limit=100] [STM#keypairs(Integer,Integer,Map)]: [{

  "error" : {

    "status" : "wrong_token",

    "message" : "Invalid JWT/S token."

  }

}]

This error will appear if your KeyLocker credentials have not been configured or if the incorrect API key has been used.

Open your Environment Variables and ensure that the following variable is correct:

  • Variable name: SM_API_KEY
  • Variable value: Paste your API Key string into this field.

 

jarsigner: unable to sign jar: feign.FeignException$Forbidden: [403 Forbidden] during [POST] to [https://clientauth.one.digicert.com/signingmanager/api/v1/keypairs/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /sign] [STM#sign(SignatureRequest,String)]: [{"error":{"status":"access_denied","message":"User is not multi-factor authenticated. Missing Client Authentication Certificate. As per compliance rules, user needs to be authenticated using multi-factor for performing sign operation."}}]

This error means that the password for your client certificate is incorrect.

Open your Environment Variables and ensure that the following variable is correct:

  • Variable name: SM_CLIENT_CERT_PASSWORD
    Variable value: Paste your client certificate password into this field.



jarsigner: unable to sign jar: feign.FeignException$Forbidden: [403 Forbidden] during [POST] to [https://clientauth.one.digicert.com/signingmanager/api/v1/keypairs/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /sign] [STM#sign(SignatureRequest,String)]: [{"error":{"status":"access_denied","message":"User - <First_Name Last_Name> does not have privileges to access the keypair - mykeylockercert."}}]

This error occurs if you have not added a signer to your certificate in DigiCert ONE.

 

 

Only one alias can be specified
Please type jarsigner --help for usage


This error appears if the path to either of the library files, digicert-jce-1.0.jar and bcprov-jdk18on-1.77.jar, or the file which you want to sign contains spaces. For example: c:\files to signpath\myfile.jar

  • Enclose the full path to the file in quotation marks as follows: “c:\files to signpath\myfile.jar”

 

jarsigner: Certificate chain not found for: <keypair alias>.  <keypair alias> must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

This error means that an incorrect keypair alias was referenced in the signing command.

  • Ensure that you use the correct keypair alias in the signing command. Log in to your DigiCert ONE account to view and copy the keypair alias for your code signing certificate.

 

jarsigner: unable to sign jar: java.lang.NullPointerException: Cannot invoke "String.equalsIgnoreCase(String)" because the return value of "java.net.URI.getScheme()" is null

This issue can be caused by using an incomplete URL for the timestamp server.



jarsigner: unable to sign jar: java.lang.RuntimeException: java.net.SocketTimeoutException: Connect timed out

This error is caused by using HTTPS instead of HTTP in the timestamp URL.

 

For details on setting KeyLocker up for use with JarSigner see Configure KeyLocker for JarSigner using the Java Cryptography (JCE) Library.