28

I have imported a certificate into a private ~/.keystore file:

keytool -list
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

mylyn-mantis, Jul 15, 2010, trustedCertEntry

and am trying to sign a jar with it, but I get a 'certificate chain not found' error.

jarsigner -verbose  /home/robert/file.jar mylyn-mantis
jarsigner: Certificate chain not found for: mylyn-mantis.  mylyn-mantis must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

How can I solve this problem?

Robert Munteanu
  • 67,031
  • 36
  • 206
  • 278

6 Answers6

16

It seems that your keystore contains only a certificate (public key) you need a complete key entry, with a private key, and the whole certificate chain to be able to sign anything

Maurice Perry
  • 32,610
  • 9
  • 70
  • 97
  • 1
    Thanks. I received this certificate from a CA . How can I generate a private key to go with it? – Robert Munteanu Jul 15 '10 at 13:35
  • 3
    This must be done upfront: you must generate a key pair, with a self-signed certificate, then request a signature for your certificate to your CA. – Maurice Perry Jul 15 '10 at 13:39
  • How do I use a wildcard cert supplied from the CA? There isn't a local private in that case. – Brian Knoblauch Aug 05 '13 at 18:22
  • 10
    This problem occurred to me when I accidentally forgot to add the alias when using keytool – erdomester Aug 06 '13 at 19:30
  • I'm having the reverse problem, can you give me a hand? I thought -keygen was supposed to generate public and private keys, but per this question http://stackoverflow.com/questions/19186643/keytool-for-android-generating-only-privatekey it seems like it's not. Thoughts? – Tommy Nicholas Oct 04 '13 at 17:11
  • @Tommy a private key entry always have a certificate chain as well – Maurice Perry Oct 06 '13 at 11:52
  • @erdomester that's the simplest answer that worked for me. Why can't it say a more comprehensible error like "I couldn't find a key with alias X"?? – O'Rooney Feb 04 '20 at 00:32
5

Short Answer

Use your alias key instead of key store like this:

jarsigner -verbose -keystore [Your signature storage path] -signedjar [signed filename] [unsigned filename] [Your alias key]

More Details

Here are the easiest way to solve this error:

  1. Go to bin folder .. it may be in this path:

C:\Users[Your computer name]\jdk\bin

or this path:

C:\Program Files\Java\jre1.8.0_77\bin

  1. To prevent issues caused by the configuration of environment variables, please copy both the empty package to be signed, and your key store [the private key for signature] to the bin directory under JDK.

  2. Get your alias key by run this command:

    keytool -keystore [your key store] -list -v

  3. Finally run this command:

    jarsigner -verbose -keystore [Your signature storage path] -signedjar [signed filename] [unsigned filename] [Your alias key]

Islam Ahmed
  • 668
  • 9
  • 19
3

I faced same issue. I am having .p12 file issued by CA and I was trying to sign jar file. However I was getting error:

jarsigner: Certificate chain not found for:

Basically I was copying alias name from console. It was having wrong character 'question mark' (?) causing this error. Instead I redirected output of keytool to text file and then I copied alias name from there.

  1. Issue this command:

    keytool -list -v -storetype pkcs12 -keystore "mycertificate.p12" > cert.txt

(This is very important. Always redirect to txt file. Do not copy from console output. It can contain wrong characters)

  1. Find out alias name in certificate. Open cert.txt and copy string as it is mentioned in front of "Alias name:"

Let's say this string is "my alias name, a.p.’s my ca limited id"

  1. Use jarsigner:

    jarsigner -storetype pkcs12 -keystore "mycertificate.p12" myjarfile.jar "my alias name, a.p.’s my ca limited id"

Atul
  • 3,778
  • 5
  • 47
  • 87
2

I had this error, but it was a different issue. When you send off a CSR to a CA it comes from a particular private key with a particular alias that you generated. When you receive the cert back again you must import it using the same alias name or else the two certs will not be wired together.

If you have done it right, when you use keytool -list -v you wil see a single entry with the alias name, of type

Entry type: PrivateKeyEntry
Certificate chain length: 3

For the entry. If you have done it wrong the you will have two entries

Entry type: PrivateKeyEntry
Certificate chain length: 1

and

Entry type: trustedCertEntry
Andy Piper
  • 563
  • 4
  • 10
  • Your comments on using the same alias name were key to my issue - fortunately didn't take too many times to find this gem. – Bryan Jan 19 '22 at 18:10
0

I encountered this error because I was using a Jenkins "certificate" credential. The Jenkins credential configuration dialog has a text box called Description, whose help says it is a free comment describing the credential. In fact, the Jenkins pipeline block withCredentials uses the Description text box to populate the environment variable named in the aliasVariable property.

withCredentials([certificate(
    credentialsId:    my_credentials,
    keystoreVariable: 'MY_KEYSTORE',
    aliasVariable:    'MY_ALIAS', // Set value in Description textbox
    passwordVariable: 'MY_PASSWORD')]) {
       bat 'mvn clean deploy -Dmy.keystore=%MY_KEYSTORE% -Dmy.alias=%MY_ALIAS% -Dmy.password=\"%MY_PASSWORD%\"'
}

This is not mentioned in the Jenkins documentation.

Steve Mitchell
  • 1,895
  • 1
  • 15
  • 12
0

mylyn-mantis should be the actual alias name you used when you generate the signing key.

Myo Win
  • 483
  • 1
  • 6
  • 17