AFAIU, signing using SHA1 will not cause any harm. @Sameera, Any thoughts on this?..
On Mon, Mar 9, 2015 at 12:56 PM, Rasika Perera <rasi...@wso2.com> wrote: > Hi Aruna & All, > > Eventhough "-digestalg SHA1" solves(or work as a workaround), I am not > clear about the jarsigner's verification behaviour. > > 1. Suppose we are signing a JAR with SHA1 then signing SHA256 with the > *same* *key* / alias verification *never fails*. > 2. Signing a JAR with SHA1 then signing SHA256 with *different* *keys* > / alias *broke* the verification. > 3. Signing a JAR with SHA1 then again SHA1 with *same/different* *keys* > /alias *never fails*(This is what we did to solve the issue). > > This is also reported in stackoverflow[1]. > > And according to the java doc[2], it says It is also possible for a JAR > file to have mixed signatures. > > Any thoughts on it? > > [1] > http://stackoverflow.com/questions/12614139/what-prevents-java-from-verifying-signed-jars-with-multiple-signature-algorithms > > [2] > http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html#sthref18 > > > > On Sat, Mar 7, 2015 at 11:02 PM, Aruna Karunarathna <ar...@wso2.com> > wrote: > >> Hi all, >> >> This was resolved by adding the following argument to the jarsigner >> command. >> >> *-digestalg SHA1* >> >> This was suggested by Rasika, thanks for the suggestion. >> >> Further found that two default jarsigner algorithms for JDK6 and JDK8 >> differs. >> >> Regards, >> Aruna >> >> On Sat, Mar 7, 2015 at 3:34 PM, Aruna Karunarathna <ar...@wso2.com> >> wrote: >> >>> Hi all, >>> >>> When security manager enabled for products,(which is build using java 8 >>> and signed using java8) following exception throws at the server start-up. >>> >>> JAVA_HOME environment variable is set to >>> /home/aruna/software/java/jdk1.8.0_20 >>> CARBON_HOME environment variable is set to >>> /home/aruna/Downloads/signed_wso2as-6.0.0-SNAPSHOT >>> java.lang.reflect.InvocationTargetException >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> at java.lang.reflect.Method.invoke(Method.java:483) >>> at org.wso2.carbon.bootstrap.Bootstrap.loadClass(Bootstrap.java:63) >>> at org.wso2.carbon.bootstrap.Bootstrap.main(Bootstrap.java:45) >>> Caused by: java.lang.RuntimeException: invalid SHA1 signature file >>> digest for org/eclipse/osgi/internal/module/MappedList.class >>> at org.wso2.carbon.server.CarbonLauncher.launch(CarbonLauncher.java:117) >>> at org.wso2.carbon.server.Main.launchCarbon(Main.java:162) >>> at org.wso2.carbon.server.Main.main(Main.java:96) >>> ... 6 more >>> >>> >>> Further I've noticed that, org.eclipse.osgi_3.9.1.v20130814-1242.jar is >>> already signed. >>> *aruna@aruna:~$ jarsigner -verify >>> unsigned_wso2as-6.0.0-SNAPSHOT/repository/components/plugins/org.eclipse.osgi_3.9.1.v20130814-1242.jar >>> * >>> *jar verified.* >>> >>> >>> After signing the pack, sign verification throws the following exception. >>> >>> *aruna@aruna:~$ jarsigner -verify >>> signed_wso2as-6.0.0-SNAPSHOT/repository/components/plugins/org.eclipse.osgi_3.9.1.v20130814-1242.jar >>> * >>> *jarsigner: java.lang.SecurityException: invalid SHA1 signature file >>> digest for org/eclipse/osgi/internal/module/MappedList.class* >>> >>> However the packs are starting when signed from JDK6 and run in JDK8. >>> >>> So how to proceed with this issue, Highly appreciate your thoughts. >>> >>> [1]. https://wso2.org/jira/browse/CARBON-14877 >>> >>> Regards, >>> Aruna >>> -- >>> >>> *Aruna Sujith Karunarathna* | Software Engineer >>> WSO2, Inc | lean. enterprise. middleware. >>> #20, Palm Grove, Colombo 03, Sri Lanka >>> Mobile: +94 71 9040362 | Work: +94 112145345 >>> Email: ar...@wso2.com | Web: www.wso2.com >>> >>> >> >> >> >> -- >> >> *Aruna Sujith Karunarathna* | Software Engineer >> WSO2, Inc | lean. enterprise. middleware. >> #20, Palm Grove, Colombo 03, Sri Lanka >> Mobile: +94 71 9040362 | Work: +94 112145345 >> Email: ar...@wso2.com | Web: www.wso2.com >> >> > > > > -- > With Regards, > > *Rasika Perera* > Software Engineer > M: +94 71 680 9060 E: rasi...@wso2.com > LinkedIn: http://lk.linkedin.com/in/rasika90 > > WSO2 Inc. www.wso2.com > lean.enterprise.middleware > -- *Aruna Sujith Karunarathna* | Software Engineer WSO2, Inc | lean. enterprise. middleware. #20, Palm Grove, Colombo 03, Sri Lanka Mobile: +94 71 9040362 | Work: +94 112145345 Email: ar...@wso2.com | Web: www.wso2.com
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
