Jarsigner - This jar contains entries whose certificate chain is invalid. Reason: PKIX path building failed:

Question

For school, I need to sign a jar and was provided with the following tutorial https://docs.oracle.com/javase/tutorial/security/toolsign/.

So, I start with making and compiling a simple Program that prints "Hello World!" and put it in a jar with the following command:

jar cvfm Hello.jar Hello.class MANIFEST.M

After that I generate my keys with the following command, it doesn't matter that it's self signed.

keytool -genkey -alias indy -keystore indystore

After generating my keys I sign my jar with the following command

jarsigner -tsa http://sha256timestamp.ws.symantec.com/sha256/timestamp -keystore indystore -signedjar SignedHello.jar Hello.jar indy

Now when I want to verify my signed jar I get multiple errors and I don't know why. I'm using adoptopenjdk 11 if that matters.

jarsigner -verify -keystore indystore SignedHello.jar

Errors I get:

• This jar contains entries whose certificate chain is invalid.

  Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

• This jar contains entries whose signer certificate is self-signed.

The verbose output with warnings looks like this:

Answer 1

Same issue in gitlab answers:

Hans-Christoph Steiner @eighthave: APKs have always been signed by self-signed certificates, since the beginning of Android. That's not new. Java's jarsigner wants devs to use official, CA-signed certificates, hence that warning. Android's apksigner gives more useful warnings and errors when working with APKs. So really, there is nothing new here. It is just that now, you can use Android's apksigner for better results with APKs.

Jozef Hollý @j2ghz : it goes through with the update anyway. I assumed since it's an error that it won't work. It now takes about 2 seconds per apk (5 minutes with 150 apks) instead of ~10 seconds, so that confused me too.