Maven JIB returns "CertPathValidatorException: signature check failed" inside arm32v7/adoptopenjdk docker container

Question

I am using my raspberry pi 4 with Docker installed. I am trying to create a build container for my Java projects and let the build container create Docker images using Maven JIB . When I try this in an arm32v7/adoptopenjdk:13.0.1_9-jdk-hotspot-bionic container, JIB gives the following error:

[ERROR] I/O error for image [registry-1.docker.io/arm32v7/adoptopenjdk]:
[ERROR]     PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed

When I try the same setup in an Ubuntu virtual machine on my laptop, with Docker installed and with an openjdk:13-jdk container, it succeeds.

I am trying to build a simple spring initialzr java project with JIB as a build plugin. The build tag in my pom.xml looks like the following:

pom.xml

<build>
  <finalName>thaveke-backend</finalName>
  <plugins>
    <plugin>
      <groupId>com.google.cloud.tools</groupId>
      <artifactId>jib-maven-plugin</artifactId>
      <version>1.8.0</version>
      <configuration>
        <from>
          <image>arm32v7/adoptopenjdk:13.0.1_9-jdk-hotspot-bionic</image>
        </from>
        <to>
          <image>backend</image>
        </to>
      </configuration>
      <executions>
        <execution>
          <phase>package</phase>
          <goals>
            <goal>dockerBuild</goal>
          </goals>
        </execution>
      </executions>
    </plugin>
  </plugins>
</build>

Because of the PKIX error I immediately thought of an outdated cacerts so I copied the cacerts file from the openjdk:13-jdk container where it did work, to the arm32v7/adoptopenjdk:13.0.1_9-jdk-hotspot-bionic container and ran the maven command but still received the same error.

If you have a raspberry pi 4 with Debian Buster OS, this error is reproducable using the following steps:

1. Install docker using following commmand: curl https://get.docker.com | sh curl https://get.docker.com | sh
2. Create a simple spring initialzr project and unpack it on the raspberry pi. update the build tag in the pom.xml file to look like mine above. In my case the unpacked updated code is under /opt/app.
3. Run a docker container and go into a bash terminal using following command: docker run --rm -it -v /opt/app:/opt/app -v /var/run/ docker.sock:/var/run/docker.sock -v $(which docker):$(which docker) arm32v7/adoptope njdk:13.0.1_9-jdk-hotspot-bionic bash
4. When inside the docker container, change directory to /opt/app: cd /opt/app
5. Run maven command to compile and build docker image: ./mvnw clean package -DskipTests

I am not sure if this is a JIB error, an AdoptOpenJDK error or am I just overlooking something?

Kind regards

Answer 1

I ran into something very similar with running adoptopenjdk on the raspberry pi inside a jib docker image. this issue seemed somewhat related. I ended up using a different jdk from bellsoft . I was using the gradle jib instead of the maven plugin but it should work the same. Good luck.

from {
  // https://github.com/GoogleContainerTools/jib/issues/2148
  image = "bellsoft/liberica-openjdk-alpine@sha256:91a5cede9b201c98ef6fc13aff270f58f07bee86ed9f508e22c7a883bfef2679"
}