How to Fix the ‘Jarsigner: Certificate Chain Not Found For […]’ Error

Buy Code Signing Certificate
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

Does the following Jarsigner code signing certificate chain error leave you perplexed? Let’s find out how to fix it.

During the code signing process, all signing tools (e.g., Jarsigner) access the Keystore to ensure that it includes the valid chain of trust certificates (i.e., the code signing certificate, any intermediate CAs, and the root CA) and your private key. If something goes wrong during the check, then your files aren’t signed and the Jarsigner ‘certificate chain not found” warning may display.  

Editor’s Note: This article is one in a series of pieces we will publish over the next few weeks that aim to help resolve code signing-related errors for SignTool, Jarsigner, Electron, and Windows.

What Does ‘Jarsigner: Certificate Chain Not Found For […]’ Mean

This code signing error indicates that the Keystore item to use for signing either isn’t specified or is incorrect or otherwise invalid.

An example screenshot showing the error "Jarsigner: Certificate chain not found for: ___."
Image caption: The screenshot shows the certificate chain not found error.

Possible Cause(s) of This Certificate Chain Error

1. Syntax error. Your signing script doesn’t explicitly specify the correct Keystore or keystoretype for the signature. If you’re using a hardware token to store your certificate, which isn’t considered a file-based keystore, then you’ll need to create a file named eToken.cfg (if you don’t already have one set up) in your JDK bin folder.

2. At least one trust certificate is missing. The specified Keystore doesn’t contain all of the chain of trust certificates. This error could also result from your signing command not correctly referencing the right keypair alias.

Boost User Trust in Your JAR Files — Save Up to 21% on a Java Code Signing Certificate

Prove your Java apps and JAR files are legitimate by signing them with a Java code signing certificate. You can get one starting at $211.46/year.

Learn More

How to Fix This Jarsigner Error

Method #1: Review your script and add the wording -storetype PKCS11 before the time stamping information, like this:

jarsigner -keystore NONE -storetype PKCS11 -tsa http://timestamp.digicert.com -providerClass sun.security.pkcs11.SunPKCS11 -providerArg ./eToken.cfg

C:\Users\file_path_to_your_jar_file\example.jar "Alias Info"

NOTE: Notice the ./eToken.cfg file we talked about a little earlier? That’s what will point to your secure USB token where your certificate is stored.

Method #2: Check that the necessary chain of trust’s certificates and your private key are included in the Keystore key entry indicated in your code signing script. Also double-check your command to ensure you’re referencing the correct keypair alias.

Platform(s)/Systems Affected

Java Jarsigner (Windows, Linux, macOS).