Maven Jar Signer Plugin
  1. Maven Jar Signer Plugin
  2. MJARSIGNER-21

jars signed using Java 7 have "invalid SHA1 signature"

    Details

    • Type: Bug Bug
    • Status: Closed Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 1.2
    • Fix Version/s: 1.3
    • Labels:
      None
    • Environment:
      Java 7, Maven 2.2.1
    • Number of attachments :
      0

      Description

      Using the plugin with Java 6 works fine. When I use it with Java 7, my applet won't load because the SHA1 signatures are invalid.

        Issue Links

          Activity

          Hide
          Christian Schulte added a comment -

          Signing with JDK 7 and verifying with JDK 5 and 6 works for me. Can you try unsigning the archives prior to signing (removeExistingSignatures parameter) ? What exactly is invalid about the signatures ?

          Show
          Christian Schulte added a comment - Signing with JDK 7 and verifying with JDK 5 and 6 works for me. Can you try unsigning the archives prior to signing (removeExistingSignatures parameter) ? What exactly is invalid about the signatures ?
          Hide
          Mike Calmus added a comment -

          The applet is giving the following error when it downloads one of these jars:

          java.lang.SecurityException: invalid SHA1 signature file digest for org/apache/log4j/net/DefaultEvaluator.class
          at sun.security.util.SignatureFileVerifier.verifySection(Unknown Source)
          at sun.security.util.SignatureFileVerifier.processImpl(Unknown Source)
          at sun.security.util.SignatureFileVerifier.process(Unknown Source)
          at java.util.jar.JarVerifier.processEntry(Unknown Source)
          at java.util.jar.JarVerifier.update(Unknown Source)
          at java.util.jar.JarFile.initializeVerifier(Unknown Source)

          I'm not exactly sure what pieces are required to make this happen. We have some jar files that are signed with our "production" certificate. In the development environment they are then also signed at build time with a test certificate. The ones signed using Java 6 work fine in this manner. Those signed with Java 7 give the error specified above. Three files are different between two jars signed in this way:

          CODESIGN.DSA, CODESIGN.SF and MANIFEST.MF.

          The most obvious difference is that the jar signed with Java 7 has SHA-256-Digest entries in addition to the SHA1 entries.

          I can provide these jar files to someone to look at but would prefer not to upload.

          Show
          Mike Calmus added a comment - The applet is giving the following error when it downloads one of these jars: java.lang.SecurityException: invalid SHA1 signature file digest for org/apache/log4j/net/DefaultEvaluator.class at sun.security.util.SignatureFileVerifier.verifySection(Unknown Source) at sun.security.util.SignatureFileVerifier.processImpl(Unknown Source) at sun.security.util.SignatureFileVerifier.process(Unknown Source) at java.util.jar.JarVerifier.processEntry(Unknown Source) at java.util.jar.JarVerifier.update(Unknown Source) at java.util.jar.JarFile.initializeVerifier(Unknown Source) I'm not exactly sure what pieces are required to make this happen. We have some jar files that are signed with our "production" certificate. In the development environment they are then also signed at build time with a test certificate. The ones signed using Java 6 work fine in this manner. Those signed with Java 7 give the error specified above. Three files are different between two jars signed in this way: CODESIGN.DSA, CODESIGN.SF and MANIFEST.MF. The most obvious difference is that the jar signed with Java 7 has SHA-256-Digest entries in addition to the SHA1 entries. I can provide these jar files to someone to look at but would prefer not to upload.
          Hide
          Christian Schulte added a comment - - edited

          http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6561126
          http://hg.openjdk.java.net/jdk7/tl/jdk/rev/29b076bfeafd

          I think you need to use '-digestalg SHA-1' with JDK 7 or '-digestalg SHA-256' with JDK 6 to make this work.

          <configuration>
            <arguments>
              <argument>-digestalg</argument>
              <argument>${jarsigner.digestalg}</argument>
            </argument>
          </configuration>
          
          Show
          Christian Schulte added a comment - - edited http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6561126 http://hg.openjdk.java.net/jdk7/tl/jdk/rev/29b076bfeafd I think you need to use '-digestalg SHA-1' with JDK 7 or '-digestalg SHA-256' with JDK 6 to make this work. <configuration> <arguments> <argument> -digestalg </argument> <argument> ${jarsigner.digestalg} </argument> </argument> </configuration>
          Hide
          Mike Calmus added a comment -

          That takes care of the issue. Some documentation within the plugin about default keysizes might be helpful.

          Show
          Mike Calmus added a comment - That takes care of the issue. Some documentation within the plugin about default keysizes might be helpful.
          Hide
          Tony Chemit added a comment - - edited

          FMU, there is no need to specify the digest algo. Just cleaning the manifest while unsigning a jar befoire resign it should be sufficent. See MSHARED-314

          Show
          Tony Chemit added a comment - - edited FMU, there is no need to specify the digest algo. Just cleaning the manifest while unsigning a jar befoire resign it should be sufficent. See MSHARED-314
          Hide
          Tony Chemit added a comment -

          Close since MSHARED-314 fix the problem.

          Show
          Tony Chemit added a comment - Close since MSHARED-314 fix the problem.

            People

            • Assignee:
              Tony Chemit
              Reporter:
              Mike Calmus
            • Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: