jar resources in jnlp are not signed by the same certificate

The following script lists serial number of the RSA certificate in each jar in /some/lib directory and helps to find jars that are signed by the wrong certificate:

for f in $( find /some/lib -type f -name '*.jar' )
do 
   serial=$( unzip -p $f 'META-INF/*.RSA' | 
             openssl pkcs7 -inform der -print -noout |
             grep --max-count=1 serialNumber | cut -d: -f2- | tr -d ' ' )
   printf "%40s: %s\n" "$serial" "$f"
done

I've found that JNLP/Webstart does not like multiple signatures/signing via jarsigner.exe for a given JAR. If a JAR such as BouncyCastle (which comes presigned) is signed again with your Company's certificate, visual inspection leads me to believe that the new Certificate and Signatures are performed properly in the JAR. but that JNLP may be reading only the first (Alphabetical?) signature in the META-INF, and thereby complaining it doesn't match your other JARs (which have only one, Corporate, signature on each JAR).

This may be a stale manifest entry from an already signed jar that you use as a library. I encountered this problem with jogl via webstart. Try this:

Unzip all jars, purge all META-INF directories, jar and sign them again.

When I had similar problems after checking the jars it turned out that some 3rd party jar was signed by someone else.

You should create a separate jnlp file for the jars signed by the other certificate and read this jnlp from your jnlp file:

<resources>
  ...
  <extension name="other" href="other.jnlp"/>
</resources>

Here or here you can find an example.