keytool "Keystore was tampered with, or password was incorrect" - Fix in CI
keytool could not open the keystore: either the store password is wrong/empty, or the keystore bytes are corrupt. In CI this almost always means the password secret is missing/mismatched, or the keystore was mangled when stored (e.g. base64 not decoded).
What this error means
A signing step fails with keytool error: java.io.IOException: keystore was tampered with, or password was incorrect, often from keytool -list or jarsigner. The keystore never opens.
keytool error: java.io.IOException: Keystore was tampered with, or password
was incorrect
Caused by: java.security.UnrecoverableKeyException: Password verification failedCommon causes
Wrong or empty store password
The -storepass value does not match the keystore, or the CI secret resolved to empty so an empty password was sent.
Corrupted keystore bytes
A keystore stored as base64 in a secret was committed/checked out without decoding, or got line-ending mangling, so the file is not a valid store.
Wrong keystore type
A PKCS12 store opened as JKS (or vice versa) fails verification.
How to fix it
Pass the password from a verified secret
Read the store password from CI secrets and confirm it is non-empty.
keytool -list -keystore release.jks \
-storepass "$KEYSTORE_PASSWORD" # secret must resolve, not be emptyDecode the keystore correctly
If the keystore is stored base64-encoded, decode it to a binary file before use.
echo "$KEYSTORE_BASE64" | base64 -d > release.jks
file release.jks # should report 'Java KeyStore' / 'data', not ASCII textMatch the keystore type
Specify the correct -storetype for the file.
keytool -list -keystore release.p12 -storetype PKCS12 -storepass "$KEYSTORE_PASSWORD"How to prevent it
- Store keystores base64-encoded in secrets and decode at runtime.
- Source the store password from a secret and verify it is non-empty before signing.
- Pin the correct
-storetype(PKCS12 vs JKS) for the keystore.