Issues with Sectigo code certificate, signed jars reporting as unverified

[aamcurtis]

Trying to launch an applet signed via a yubikey with all intermediary certs included, however ITW is reporting these jars as unverified when trying to run. Have tried using openjdk version 11.0.16.1 and 8.0.382.5. Oracle jdk8 works as expected using the same jnlp

Jar found has been verified as UNSIGNED App already has trusted publisher: false netx: Initialization Error: Could not initialize application. (Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.)

Running jarsigner -verify against the cached jar reports the jar as verified:

[entry was signed on 12/11/2023, 18:22] >>> Signer X.509, CN=Cypher Information Technology Ltd, O=Cypher Information Technology Ltd, ST=Hampshire, C=GB [certificate is valid from 22/09/2023, 01:00 to 22/09/2025, 00:59] X.509, CN=Sectigo Public Code Signing CA E36, O=Sectigo Limited, C=GB [certificate is valid from 22/03/2021, 00:00 to 21/03/2036, 23:59] X.509, CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB [certificate is valid from 28/02/2023, 00:00 to 31/12/2028, 23:59] X.509, CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB [trusted certificate] >>> TSA X.509, CN="Sectigo RSA Time Stamping Signer #4", O=Sectigo Limited, ST=Manchester, C=GB [certificate is valid from 03/05/2023, 01:00 to 03/08/2034, 00:59] X.509, CN=Sectigo RSA Time Stamping CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB [certificate is valid from 02/05/2019, 01:00 to 18/01/2038, 23:59]

I suspect it's related to #871 and cross-signed certs are the underlying issue, adding certs to the client keystore isn't really a solution going forward

[AlBundy33]

but the message says that there is an unsigned jar. 🤔
In would assume that there would be another message if an existing signature could not be verified.

in our app we're unsign all jars and sign them again with our certificate.

[robert-scheck]

From my experience, if you get different results (signed vs. unsigned) for the same *.jar, your chain is either incomplete or ends with a newer root CA which isn't (yet) in the Java trust store of the specific Java distribution. Aside of this, I had to include all intermediate certificates including the root CA itself into the keystore of the signer. Be also careful as "Sectigo Public Code Signing Root E46" and "AAA Certificate Services" exist as self-signed (root), but also as cross-signed (intermediate). If e.g. "AAA Certificate Services" isn't self-signed, you might even need to add "USERTrust RSA Certification Authority" or "USERTrust ECC Certification Authority".