jars signed using Java 7 have "invalid SHA1 signature"

Details

Type: Bug
Status: Open
Priority: Critical
Resolution: Unresolved
Affects Version/s: 1.2
Fix Version/s: None
Labels:
None
Environment:
Java 7, Maven 2.2.1

Number of attachments :
0

Description

Using the plugin with Java 6 works fine. When I use it with Java 7, my applet won't load because the SHA1 signatures are invalid.

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Christian Schulte added a comment - 17/Oct/11 3:20 AM

Signing with JDK 7 and verifying with JDK 5 and 6 works for me. Can you try unsigning the archives prior to signing (removeExistingSignatures parameter) ? What exactly is invalid about the signatures ?

Show

Christian Schulte added a comment - 17/Oct/11 3:20 AM Signing with JDK 7 and verifying with JDK 5 and 6 works for me. Can you try unsigning the archives prior to signing (removeExistingSignatures parameter) ? What exactly is invalid about the signatures ?

Hide

Permalink

Mike Calmus added a comment - 17/Oct/11 12:48 PM

The applet is giving the following error when it downloads one of these jars:

java.lang.SecurityException: invalid SHA1 signature file digest for org/apache/log4j/net/DefaultEvaluator.class
at sun.security.util.SignatureFileVerifier.verifySection(Unknown Source)
at sun.security.util.SignatureFileVerifier.processImpl(Unknown Source)
at sun.security.util.SignatureFileVerifier.process(Unknown Source)
at java.util.jar.JarVerifier.processEntry(Unknown Source)
at java.util.jar.JarVerifier.update(Unknown Source)
at java.util.jar.JarFile.initializeVerifier(Unknown Source)

I'm not exactly sure what pieces are required to make this happen. We have some jar files that are signed with our "production" certificate. In the development environment they are then also signed at build time with a test certificate. The ones signed using Java 6 work fine in this manner. Those signed with Java 7 give the error specified above. Three files are different between two jars signed in this way:

CODESIGN.DSA, CODESIGN.SF and MANIFEST.MF.

The most obvious difference is that the jar signed with Java 7 has SHA-256-Digest entries in addition to the SHA1 entries.

I can provide these jar files to someone to look at but would prefer not to upload.

Show

Mike Calmus added a comment - 17/Oct/11 12:48 PM The applet is giving the following error when it downloads one of these jars: java.lang.SecurityException: invalid SHA1 signature file digest for org/apache/log4j/net/DefaultEvaluator.class at sun.security.util.SignatureFileVerifier.verifySection(Unknown Source) at sun.security.util.SignatureFileVerifier.processImpl(Unknown Source) at sun.security.util.SignatureFileVerifier.process(Unknown Source) at java.util.jar.JarVerifier.processEntry(Unknown Source) at java.util.jar.JarVerifier.update(Unknown Source) at java.util.jar.JarFile.initializeVerifier(Unknown Source) I'm not exactly sure what pieces are required to make this happen. We have some jar files that are signed with our "production" certificate. In the development environment they are then also signed at build time with a test certificate. The ones signed using Java 6 work fine in this manner. Those signed with Java 7 give the error specified above. Three files are different between two jars signed in this way: CODESIGN.DSA, CODESIGN.SF and MANIFEST.MF. The most obvious difference is that the jar signed with Java 7 has SHA-256-Digest entries in addition to the SHA1 entries. I can provide these jar files to someone to look at but would prefer not to upload.

Hide

Permalink

Christian Schulte added a comment - 17/Oct/11 3:05 PM - edited

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6561126
http://hg.openjdk.java.net/jdk7/tl/jdk/rev/29b076bfeafd

I think you need to use '-digestalg SHA-1' with JDK 7 or '-digestalg SHA-256' with JDK 6 to make this work.

<configuration>
  <arguments>
    <argument>-digestalg</argument>
    <argument>${jarsigner.digestalg}</argument>
  </argument>
</configuration>

Show

Christian Schulte added a comment - 17/Oct/11 3:05 PM - edited http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6561126 http://hg.openjdk.java.net/jdk7/tl/jdk/rev/29b076bfeafd I think you need to use '-digestalg SHA-1' with JDK 7 or '-digestalg SHA-256' with JDK 6 to make this work. <configuration> <arguments> <argument> -digestalg </argument> <argument> ${jarsigner.digestalg} </argument> </argument> </configuration>

Hide

Permalink

Mike Calmus added a comment - 17/Oct/11 3:55 PM

That takes care of the issue. Some documentation within the plugin about default keysizes might be helpful.

Show

Mike Calmus added a comment - 17/Oct/11 3:55 PM That takes care of the issue. Some documentation within the plugin about default keysizes might be helpful.

People

Assignee:

Unassigned

Reporter:

Mike Calmus

Vote (2)

Watch (3)

Dates

Created:

05/Oct/11 10:30 AM

Updated:

17/Oct/11 3:55 PM