Signing a jar file tells me "Failed to load certificate from"

[obones]

Hello,

Following discussion #178, I'm trying to sign a JAR file with a key stored in a Google Cloud HSM, in a Windows environment.
I have thus written the following command in a batch file:

setlocal
@set GOOGLE_TOKEN=file:D:\Path\To\Signature\token

"%JAVA_HOME%\bin\jarsigner" -J-cp -JE:\Downloads\Prog\java\jsign-6.0.jar -J--add-modules -Jjava.sql ^
           -providerClass net.jsign.jca.JsignJcaProvider ^
           -providerArg projects/myproject/locations/europe/keyRings/TheKeyRing ^
           -keystore NONE ^
           -storetype GOOGLECLOUD ^
           -storepass "%GOOGLE_TOKEN%" ^
           -tsa $http://timestamp.entrust.net/TSS/RFC3161sha2TS ^
           -digestalg SHA-256 ^
           -tsadigestalg SHA-256 ^
           -signedjar MyProject.signed.jar ^
           -certchain "D:\Path\With spaces\to\public_key\Certificate_google_cloud.cer" ^
           MyProject.jar ^
           KeyName/cryptoKeyVersions/1 

Where JAVA_HOME points to a java 11.0.24+8 installation.

Sadly, this fails with the following message:

jarsigner error: java.lang.RuntimeException: Failed to load the certificate from

Yes, that's the entire error message, there is nothing after the "from" word.

Looking around here or at large did provide any hint as to what I missed, but to me me it's like there is an empty parameter that I did not provide.

Any help would be greatly appreciated.

[ebourg]

Did you try with the latest snapshot ? https://github.com/ebourg/jsign/actions/runs/10063296846/artifacts/1731567034

[ebourg]

Could you try signing a .exe file with Jsign? If there is a permission issue with the Google account jarsigner may hide it, but Jsign will display more details.

[obones]

I tried and it found an issue with the timestamping server URL where I had an extra $ sign at the front.
I removed it and the exe file was signed just fine. Sadly applying the same fix to the command line for signing the JAR file, while obviously necessary, did not change the outcome: I still get the same error message.
Note that if the authentication token is invalid/expired I do get an appropriate error message explaining that authentication could not be performed. Getting a new token allows to go past that state and end up with the dreaded "Failed to load certificate from" error message

[ebourg]

Did you try with other versions of Java?

[obones]

I just did, and it does not change the result.
However, I finally found what was wrong: Using the version alias!
If I give KeyName/cryptoKeyVersions/1 as the last argument, I get the "Failed to load certificate from" error. But if I only give KeyName then it successfully signs the JAR.
There are warnings, but I'm quite confident they don't come from your code:

The signer's certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

POSIX file permission and/or symlink attributes detected. These attributes are ignored when signing and are not protected by the signature.

The second one, I can't quite do anything about it and the first I believe comes my .cer file maybe missing the entire chain, but it's fine for other usages so I guess I can ignore the warning.

[ebourg]

Thank you for the feedback, I'm glad to hear it works.

If the .cer file contains only the final certificate and not the intermediate CA certificates that may explain the warning.

I'll look into the jarsigner code to understand why it fails with the versioned alias.