Valid Jar Signature for Javafx Projects

Valid JAR signature for JavaFX projects

I had a very similar problem; when I included a signed JAR (bouncycastle) in the project. Its signature was repackaged verbatim, resulting in an obvious SecurityException:

java.lang.SecurityException: Invalid signature file digest for
Manifest main attributes

Filtering of all sorts failed; the solution that works for me looks like this in the pom.xml:

<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-dependency-plugin</artifactId>
  <version>2.8</version>
  <executions>
    <execution>
      <id>unpack-dependencies</id>
      <phase>package</phase>
      <goals>
        <goal>unpack-dependencies</goal>
      </goals>
      <configuration>
        <excludes>META-INF/*.SF,META-INF/*.DSA,META-INF/*.RSA</excludes>
        ...
      </configuration>
    </execution>
  </executions>
</plugin>

I omitted some lines after the new one with the "excludes" pattern.
This single line was the solution for me - I include the other lines so you can see the placement. (I had trouble with many other postings which omitted the context of a tag, so I try to save others this trouble).

Hope that helps others with the same problem.

Invalid signature file digest for Manifest main attributes exception while trying to run jar file

Some of your dependency JARs is a signed JAR, so when you combine then all in one JAR and run that JAR then signature of the signed JAR doesn't match up and hence you get the security exception about signature mis-match.

To fix this you need to first identify which all dependency JARs are signed JARs and then exclude them. Depending upon whether you are using MAVEN or ANT, you have to take appropriate solution. Below are but you can read more here, here and here.

Maven:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <version>2.6</version>
    <executions>
        <execution>
            <id>unpack-dependencies</id>
            <phase>package</phase>
            <goals>
                <goal>unpack-dependencies</goal>
            </goals>
            <configuration>
                <excludeScope>system</excludeScope>
                <excludes>META-INF/*.SF,META-INF/*.DSA,META-INF/*.RSA</excludes>
                <excludeGroupIds>junit,org.mockito,org.hamcrest</excludeGroupIds>
                <outputDirectory>${project.build.directory}/classes</outputDirectory>
            </configuration>
        </execution>
    </executions>
</plugin>

ANT:

<jar destfile="app.jar" basedir="${classes.dir}">
    <zipfileset excludes="META-INF/**/*" src="${lib.dir}/bcprov-jdk16-145.jar"></zipfileset>
    <manifest>
        <attribute name="Main-Class" value="app.Main"/>
    </manifest>
</jar>

---

Update based on OP's comment:

"sqljdbc4.jar" was the signed JAR in OP's external libraries. So, following above approach to systematically exclude the signature related files like .SF, .RSA or .DES or other algorithms files is the right way to move forward.

If these signature files are not excluded then security exception will occur because of signature mismatch.

How to know if a JAR is signed or not?: If a JAR contains files like files like .SF, .RSA or .DES or other algorithms files, then it is a signed JAR. Or run jarsigner -verify jarname.jar and see if it outputs "verified"

Invalid signature file when attempting to run a .jar

The solution listed here might provide a pointer.

Invalid signature file digest for Manifest main attributes

Bottom line :

It's probably best to keep the official jar as
is and just add it as a dependency in the manifest file for your
application jar file.

How to get Source jar files for JavaFX classes?

JDK8 ships with javafx-src.zip in it's root directory.

For more detail see the related answer to JavaFX source code not showing.

I don't use Eclipse, but I'm guessing if you use Java 8 with a recent version of e(fx)clipse, it will include simple keystoke navigation to JavaFX docs and sources from within the editor. If not, you could add a feature request for this against the e(fx)clipse project and in the meantime configure your JavaFX Eclipse projects manually to be aware of JavaFX docs and source (like you can currently do in Idea).

Invalid signature file digest for Manifest main attributes w/ Jetty and Maven Shade Plugin

Looks like this is a bug in Jetty:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=371954

From the above bug report:

There is an issue with javax.servlet-2.5.0.v201103041518.jar packaging on which jetty-7.6.1.v20120215 depends: in the META-INF directory of the javax.servlet jar are found files ECLIPSEF.RSA and ECLIPSEF.SF.

If you generate a jar with maven that uses jetty, you get those 2 files in the META-INF directory of the final jar, and if you run it you get an Exception:

java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

The fix is to exclude the 2 offending files from the generated jars.

The unwanted files can be excluded with the maven-shade-plugin adding to a POM:

<plugin>
 <groupId>org.apache.maven.plugins</groupId>
 <artifactId>maven-shade-plugin</artifactId>
 <version>1.4</version>
 <executions>
  <execution>
   <goals>
    <goal>shade</goal>
   </goals>
   <configuration>
     <filters>
    <filter>
          <artifact>org.eclipse.jetty.orbit:javax.servlet</artifact>
        <excludes>
          <exclude>META-INF/ECLIPSEF.RSA</exclude>
              <exclude>META-INF/ECLIPSEF.SF</exclude>
              <exclude>META-INF/eclipse.inf</exclude>
        </excludes>
        </filter>
       </filters>
    </configuration>
   </execution>
  </executions>
</plugin>

Adding the:

<filters>
    <filter>
        <artifact>org.eclipse.jetty.orbit:javax.servlet</artifact>
            <excludes>
                <exclude>META-INF/ECLIPSEF.RSA</exclude>
                <exclude>META-INF/ECLIPSEF.SF</exclude>
                <exclude>META-INF/eclipse.inf</exclude>
            </excludes>
    </filter>
</filters>

... to our pom.xml worked for us.

---

Related Topics