Java CertPathValidatorException on GrapheneOS

Digitalia

I’m running a new Pixel device with the newly updated GrapheneOS (GOS) and have encountered two distinct issues that are causing significant frustration.

Critical Error: Trust Anchor Not Found I am receiving the following exception repeatedly: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

I have already tried deleting and reinstalling the affected app, but the error persists. This seems to be a certificate chain validation issue. Does anyone have experience resolving this on a clean GOS install without sandboxed Google Play Services?

App Compatibility & Ecosystem Limitations While GOS works perfectly for private communication (Signal, Email, and browsing via Vanadium are stable), many mainstream apps are refusing to function without Google Play Services.

X (Twitter): Completely unresponsive without GMS.
Other Social Media: Similar resistance to working in the GOS environment.
Aurora Store: Refusing to open

I would like to set up a functional "Social" profile, but the lack of support for these apps in a non-GMS environment is making it impossible. I have a complete lack of trust in Google and will not be using sandboxed Google services.

Has anyone successfully run these specific apps on GOS without GMS? Or are there specific workarounds (like microG, though I understand the trade-offs) or alternative clients you would recommend?

Any advice on fixing the certificate error or navigating this ecosystem would be greatly appreciated.

Thanks!

de0u

Digitalia Critical Error: Trust Anchor Not Found I am receiving the following exception repeatedly: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

I have already tried deleting and reinstalling the affected app, but the error persists.

Which app?

Were any system CAs manually disabled in Settings, Security & privacy, More security & privacy, Encryption & credentials, Trusted credentials? They should all be enabled unless you are an X.509 expert.

Are the date & time accurate on the device?

Digitalia

de0u thank you. What’s your recommendation? I think I did take some additional privacy measures in the setting… I am not sure which specifically. Should I just reset to the GOS “out of the box” settings? If so, what should all apps have access to sensors? Is that really needed for a particular functionality?
Thank you again for your help

r134a

Digitalia I think the current recommendation, to potentionally help u troubleshoot this issue, is to actually answer the 3 questions first.

Digitalia

r134a

I'm relatively new to both Pixel devices and Graphene OS, and I've been learning the system through experimentation. In my effort to strengthen privacy, I made several changes to my settings and I'm now wondering if I may have gone too far.

Changes I've Made:

Profile Privacy Settings – I tightened the privacy settings on my owner profile.
Sensor Access – I revoked sensor access for all apps except Proton VPN. I give Proton VPN full access because I trust it to operate as designed, and it's never failed me. My question: Why would most apps need obligatory access to sensors? I don't need apps requiring location to function on my device right now.
Time Access – I modified time access to network-based only, so the time isn't as accurate. I don't mind this since I don't use the device as a watch, but I honestly didn't realize this could potentially affect apps or Graphene OS functionality.
My Concern:

Since I'm still learning, I'm worried I may have inadvertently broken something while pursuing greater privacy. Should I reset everything to the original settings, or are my current configurations reasonable?

Apps that are not working at all are Aurora and X.

Any guidance from experienced users would be greatly appreciated!

de0u

Digitalia I'm relatively new to both Pixel devices and Graphene OS, and I've been learning the system through experimentation.

Learning purely by experimentation can be done, but it is likely to be more laborious than a mixture of consulting reference materials plus experimentation. For example:

Digitalia My question: Why would most apps need obligatory access to sensors?

That's not what's happening. Documentation is here: https://grapheneos.org/features#sensors-permission-toggle

Digitalia Time Access – I modified time access to network-based only, so the time isn't as accurate. I don't mind this since I don't use the device as a watch, but I honestly didn't realize this could potentially affect apps or Graphene OS functionality.

It's not clear to me exactly which changes were made, but in modern systems knowing accurate time is a security matter.

Digitalia In my effort to strengthen privacy, I made several changes to my settings and I'm now wondering if I may have gone too far.

Certificate-chain issues for widely-used apps are quite unexpected. The most-common causes are disabling CAs and incorrect system date and time.

Digitalia I'm worried I may have inadvertently broken something while pursuing greater privacy.

I think that's possible, especially if a lot of changes were made in a short period of time without a detailed list of the changes being recorded.

Digitalia Should I reset everything to the original settings, or are my current configurations reasonable?

People here are generally reluctant to recommend a full reset, because it can take a lot of work to back up data first and restore afterward. But if many unknown changes were made it might be a good idea.

Digitalia

de0u It's not clear to me exactly which changes were made, but in modern systems knowing accurate time is a security matter.

This is new to me, I’ve never had any problem with disconnecting my devices’ clock to the network before, never had a performance issue with that on IOS… why would it be a security issue. I am not challenge you, just want to learn.

Digitalia

de0u People here are generally reluctant to recommend a full reset, because it can take a lot of work to back up data first and restore afterward. But if many unknown changes were made it might be a good idea

I was thinking about a settings reset in that profile, not full GOS re-installation, however I would do that if needed, I’ve had it for 2 weeks, so there is no data to backup.

However, believe it or not, just a few minutes ago I was able to open Aurora and login anonymously… I didn’t change anything, I connected perfectly, didn’t get the CertPathValidation message any more… Don’t ask me why… I was worried the new GOS version had a glitch, since the problem occurred after the new release was installed.

I have to try X, and check if it works now, need to download it. The problem there was that it did not cooperate to load or register my account since it wasn’t connected to the Google Services…

Thanks for your feedback. I really want to bring things to a point where I fully utilize my new device as I see other users are. 😋

de0u

Digitalia I’ve never had any problem with disconnecting my devices’ clock to the network before, never had a performance issue with that on IOS…

Security problems and performance problems are not the same thing.

Digitalia Why would it be a security issue?

TLS certificates have validity date/time ranges, so if a device's date is wrong then certificate-based functions (including visiting web sites) may fail. Two-factor authentication using TOTP mixes time into the protocol, so if the time is wrong authentication may fail. If an adversary can control a device's notion of time then it may be possible to hijack TOTP codes to use later. Since most devices have essentially the same time, any device with the wrong time stands out and can be fingerprinted.

All in all, GrapheneOS ships with settings chosen by the developers, who are focused on security and privacy. Installing GrapheneOS and then changing settings that affect the operation of the system is more likely to add exposure than to reduce exposure, unless a clear specific rationale is in place for why the default setting is problematic and how the change will improve something. Arguably this would best be pursuant to a written threat model.

Digitalia

de0u thanks you for your responsiveness I appreciate your will to help.

I am on X now, app working properly, downloaded from Aurora. Only gave network permission access. Let’s see how it goes.

I did change my clock, it’s now synch with internet to avoid problems. I do set it in a different time zone though, just as an additional privacy measure.

Thanks again