Issues with Sectigo code certificate, signed jars reporting as unverified

[aamcurtis]

Trying to launch an applet signed via a yubikey with all intermediary certs included, however ITW is reporting these jars as unverified when trying to run. Have tried using openjdk version 11.0.16.1 and 8.0.382.5. Oracle jdk8 works as expected using the same jnlp

Jar found has been verified as UNSIGNED App already has trusted publisher: false netx: Initialization Error: Could not initialize application. (Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.)

Running jarsigner -verify against the cached jar reports the jar as verified:

[entry was signed on 12/11/2023, 18:22] >>> Signer X.509, CN=Cypher Information Technology Ltd, O=Cypher Information Technology Ltd, ST=Hampshire, C=GB [certificate is valid from 22/09/2023, 01:00 to 22/09/2025, 00:59] X.509, CN=Sectigo Public Code Signing CA E36, O=Sectigo Limited, C=GB [certificate is valid from 22/03/2021, 00:00 to 21/03/2036, 23:59] X.509, CN=Sectigo Public Code Signing Root E46, O=Sectigo Limited, C=GB [certificate is valid from 28/02/2023, 00:00 to 31/12/2028, 23:59] X.509, CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB [trusted certificate] >>> TSA X.509, CN="Sectigo RSA Time Stamping Signer #4", O=Sectigo Limited, ST=Manchester, C=GB [certificate is valid from 03/05/2023, 01:00 to 03/08/2034, 00:59] X.509, CN=Sectigo RSA Time Stamping CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB [certificate is valid from 02/05/2019, 01:00 to 18/01/2038, 23:59]

I suspect it's related to #871 and cross-signed certs are the underlying issue, adding certs to the client keystore isn't really a solution going forward