“Invalid signature file” when attempting to run a .jar
My java program is packaged in a jar file and makes use of an external jar library, bouncy castle. My code compiles fine, but running the jar leads to the following error:
-
Some of your dependencies are likely signed jarfiles. When you combine them all into one big jarfile, the corresponding signature files are still present, and no longer match the "big combined" jarfile, so the runtime halts thinking the jar file has been tampered with (which it...has so to speak).
Assuming you're using ant, you can solve the problem by eliminating the signature files from your jarfile dependencies. Unfortunately, it's not possible to do this in one step in ant.
However, I was able to get this working with Ant in two steps, without specifically naming each jarfile dependency, by using:
<target name="jar" depends="compile" description="Create one big jarfile."> <jar jarfile="${output.dir}/deps.jar"> <zipgroupfileset dir="jars"> <include name="**/*.jar" /> </zipgroupfileset> </jar> <sleep seconds="1" /> <jar jarfile="${output.dir}/myjar.jar" basedir="${classes.dir}"> <zipfileset src="${output.dir}/deps.jar" excludes="META-INF/*.SF" /> <manifest> <attribute name="Main-Class" value="com.mycompany.MyMain" /> </manifest> </jar> </target>The sleep element is supposed to prevent errors about files with modification dates in the future.
Other variations I found in the linked threads didn't work for me.
讨论(0) -
I had this problem when using IntelliJ IDEA 14.01.
I was able to fix it by:
File->Project Structure->Add New (Artifacts)->jar->From Modules With Dependencies on the Create Jar From Module Window:
Select you main class
JAR File from Libraries Select copy to the output directory and link via manifest
讨论(0) -
Security is already a tough topic, but I'm disappointed to see the most popular solution is to delete the security signatures. JCE requires these signatures. Maven shade explodes the BouncyCastle jar file which puts the signatures into META-INF, but the BouncyCastle signatures aren't valid for a new, uber-jar (only for the BC jar), and that's what causes the Invalid signature error in this thread.
Yes, excluding or deleting the signatures as suggested by @ruhsuzbaykus does indeed make the original error go away, but it can also lead to new, cryptic errors:
java.security.NoSuchAlgorithmException: PBEWithSHA256And256BitAES-CBC-BC SecretKeyFactory not availableBy explicitly specifying where to find the algorithm like this:
SecretKeyFactory.getInstance("PBEWithSHA256And256BitAES-CBC-BC","BC");I was able to get a different error:
java.security.NoSuchProviderException: JCE cannot authenticate the provider BCJCE can't authenticate the provider because we've deleted the cryptographic signatures by following the suggestion elsewhere in this same thread.
The solution I found was the executable packer plugin that uses a jar-in-jar approach to preserve the BouncyCastle signature in a single, executable jar.
UPDATE:
Another way to do this (the correct way?) is to use Maven Jar signer. This allows you to keep using Maven shade without getting security errors. HOWEVER, you must have a code signing certificate (Oracle suggests searching for "Java Code Signing Certificate"). The POM config looks like this:
<plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-shade-plugin</artifactId> <version>3.1.0</version> <executions> <execution> <phase>package</phase> <goals> <goal>shade</goal> </goals> <configuration> <filters> <filter> <artifact>org.bouncycastle:*</artifact> <excludes> <exclude>META-INF/*.SF</exclude> <exclude>META-INF/*.DSA</exclude> <exclude>META-INF/*.RSA</exclude> </excludes> </filter> </filters> <transformers> <transformer implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer"> <mainClass>your.class.here</mainClass> </transformer> </transformers> <shadedArtifactAttached>true</shadedArtifactAttached> </configuration> </execution> </executions> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-jarsigner-plugin</artifactId> <version>1.4</version> <executions> <execution> <id>sign</id> <goals> <goal>sign</goal> </goals> </execution> <execution> <id>verify</id> <goals> <goal>verify</goal> </goals> </execution> </executions> <configuration> <keystore>/path/to/myKeystore</keystore> <alias>myfirstkey</alias> <storepass>111111</storepass> <keypass>111111</keypass> </configuration> </plugin>No, there's no way to get JCE to recognize a self-signed cert, so if you need to preserve the BouncyCastle certs, you have to either use the jar-in-jar plugin or get a JCE cert.
讨论(0) -
A strategy would consist in using ANT to simplify the removal of the signature from each Jar file. It would proceed with the following steps:
- Copying the MANIFEST.MF in a temporary file
- Removing the Name and SHA entries from the temporary file
- Creating a temporary Jar file with the temporary manifest
- Removing the temporary manifest
- Swapping the original Jar file with the temporary one
Here is an ANT macrodef doing the work:
<macrodef name="unsignjar" description="To unsign a specific Jar file"> <attribute name="jarfile" description="The jar file to unsign" /> <sequential> <!-- Copying to the temporary manifest file --> <copy toFile="@{jarFile}_MANIFEST.tmp"> <resources> <zipentry zipfile="@{jarFile}" name="META-INF/MANIFEST.MF"/> </resources> </copy> <!-- Removing the Name and SHA entries from the temporary file --> <replaceregexp file="@{jarFile}_MANIFEST.tmp" match="\nName:(.+?)\nSH" replace="SH" flags="gis" byline="false"/> <replaceregexp file="@{jarFile}_MANIFEST.tmp" match="SHA(.*)" replace="" flags="gis" byline="false"/> <!-- Creating a temporary Jar file with the temporary manifest --> <jar jarfile="@{jarFile}.tmp" manifest="@{jarFile}_MANIFEST.tmp"> <zipfileset src="@{jarFile}"> <include name="**"/> <exclude name="META-INF/*.SF"/> <exclude name="META-INF/*.DSA"/> <exclude name="META-INF/*.RSA"/> </zipfileset> </jar> <!-- Removing the temporary manifest --> <delete file="@{jarFile}_MANIFEST.tmp" /> <!-- Swapping the original Jar file with the temporary one --> <move file="@{jarFile}.tmp" tofile="@{jarFile}" overwrite="true" /> </sequential>`
The definition can then be called this way in an ANT task:
<target name="unsignJar"> <unsignjar jarFile="org.test.myjartounsign.jar" /> </target>讨论(0) -
For those who got this error when trying to create a shaded uber-jar with
maven-shade-plugin, the solution is to exclude manifest signature files by adding the following lines to the plugin configuration:<configuration> <filters> <filter> <artifact>*:*</artifact> <excludes> <exclude>META-INF/*.SF</exclude> <exclude>META-INF/*.DSA</exclude> <exclude>META-INF/*.RSA</exclude> </excludes> </filter> </filters> <!-- Additional configuration. --> </configuration>讨论(0) -
Assuming you build your jar file with ant, you can just instruct ant to leave out the META-INF dir. This is a simplified version of my ant target:
<jar destfile="app.jar" basedir="${classes.dir}"> <zipfileset excludes="META-INF/**/*" src="${lib.dir}/bcprov-jdk16-145.jar"></zipfileset> <manifest> <attribute name="Main-Class" value="app.Main"/> </manifest> </jar>讨论(0)
加载中...
- 热议问题