Using Ksign and Comodo certificate unable to digitally sign Java installer built using JPackage with Java 21, okay with Java 20

Question

My Java application uses Oracles JPackage to build an installation, I then use ksigncmd to digitally sign the installer using a certificate provided by comodo

e.g.

c:\Code\jthink\SongKong>"C:\Program Files\Eclipse Adoptium\jdk-20.0.2.9-hotspot\bin\jpackage" --add-launcher SongKongDebug=songkongdebug.properties --add-launcher SongKongRemote=songkongremote.properties @jpackage.txt

c:\Code\jthink\SongKong>attrib -r SongKong-10.0.exe

c:\Code\jthink\SongKong>C:\Apps\Code\kSign\ksigncmd /d "SongKong Installer" /du "http://jthink.net/songkong" /f c:\code\signing\comodo.pfx /p password SongKong-10.0.exe

Been working for many years.

To resolve an issue with JPackage I would like to use the Java 21 version of JPackage but when I do that signing now fails with An unknown error has occured. Please contact your vendor for assistance

e.g.

c:\Code\jthink\SongKong>"C:\Program Files\Eclipse Adoptium\jdk-21.0.1.12-hotspot\bin\jpackage" --add-launcher SongKongDebug=songkongdebug.properties --add-launcher SongKongRemote=songkongremote.properties @jpackage.txt

c:\Code\jthink\SongKong>attrib -r SongKong-10.0.exe

c:\Code\jthink\SongKong>C:\Apps\Code\kSign\ksigncmd /d "SongKong Installer" /du "http://jthink.net/songkong" /f c:\code\signing\comodo.pfx /p password SongKong-10.0.exe
An unknown error has occured. Please contact your vendor for assistance

What could be the change in the Java 21 build that prevents ksigncmd working ?

Answer 1

Most likely that certificate used by you is not compatible with Java21
Solution: Please get new certificate from vendor

Rootcause: whenever we upgrade to Java version, we need to recreate keystore files because each java version will remove some service providers and add/remove algorithms/certificates supported

Reference URLs:

1. https://www.oracle.com/java/technologies/javase/21-relnote-issues.html#JDK-8295894 has list of Security Algorithms supported

2. https://docs.oracle.com/en/java/javase/21/security/oracle-providers.html#GUID-F41EE1C9-DD6A-4BAB-8979-EB7654094029 has Security Certificate Provider details

3. https://docs.oracle.com/en/java/javase/21/migrate/removed-tools-and-components.html#GUID-D7936F0D-08A9-411E-AD2F-E14A38DA56A7 has information on list of Tools removed from Java21 .

4. Please refer Removed Features and Options section on https://www.oracle.com/java/technologies/javase/21-relnote-issues.html
   

If comodo certificate uses any of these features , Java21 blocks it and signing will not happen.

Answer 2

As you are using ksigncmd you are not using the most current version of kSIgn (>=3.0.0) - because there they are no longer offering a commandline tool. (See K Softwares tutorial)

The manufacturer of kSign recommends Microsofts own signtool.exe that is part of the free Windows SDK. It is a super huge download for just that small tool. It is also part of Visual Studio (probably not a smaller download), you find it's reference documentation also on the Microsoft homepage. That documentation is huge as signtool.exe is capable of many tasks.

I also found this small guide how to use signtool.exe with jpackage but it's from Java 15 - so no guarantee that it will work with Java 21.

So while I cannot provide insight what changed from Java 20 to 21, I hope that the signtool replacement will also work for the latest version, or at least give a better error message.