Hi Bernd, We've found out the problem inside JDK. There is a place where it takes for granted that a trusted chain can be built and then uses the output directly without checking for null. We'll most likely throw a SignatureException instead.
Is it still the same reason that the TSA server sometimes sends the full chain and sometimes not? This is quite interesting. Thanks, Max > On Jul 25, 2020, at 3:03 PM, Bernd Eckenfels <e...@zusammenkunft.net> wrote: > > Hello, > > Just a little update, after implementing a jarsigner -verify after each sign > operation and by retrying signatures when it fails, we could resolve the > problem, when signing 50 jars one or two failed with NullPointer and worked > after immediate retry. > > Gruss > Bernd > -- > https://bernd.eckenfels.net > >
