[jira] Commented: (MJARSIGNER-21) jars signed using Java 7 have "invalid SHA1 signature"

Mon, 17 Oct 2011 10:50:37 -0700 

    [ 
https://jira.codehaus.org/browse/MJARSIGNER-21?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=281450#comment-281450
 ] 

Mike Calmus commented on MJARSIGNER-21:
---------------------------------------

The applet is giving the following error when it downloads one of these jars:

java.lang.SecurityException: invalid SHA1 signature file digest for 
org/apache/log4j/net/DefaultEvaluator.class
        at sun.security.util.SignatureFileVerifier.verifySection(Unknown Source)
        at sun.security.util.SignatureFileVerifier.processImpl(Unknown Source)
        at sun.security.util.SignatureFileVerifier.process(Unknown Source)
        at java.util.jar.JarVerifier.processEntry(Unknown Source)
        at java.util.jar.JarVerifier.update(Unknown Source)
        at java.util.jar.JarFile.initializeVerifier(Unknown Source)

I'm not exactly sure what pieces are required to make this happen. We have some 
jar files that are signed with our "production" certificate. In the development 
environment they are then also signed at build time with a test certificate. 
The ones signed using Java 6 work fine in this manner. Those signed with Java 7 
give the error specified above. Three files are different between two jars 
signed in this way:

CODESIGN.DSA, CODESIGN.SF and MANIFEST.MF.

The most obvious difference is that the jar signed with Java 7 has 
SHA-256-Digest entries in addition to the SHA1 entries.

I can provide these jar files to someone to look at but would prefer not to 
upload.

> jars signed using Java 7 have "invalid SHA1 signature"
> ------------------------------------------------------
>
>                 Key: MJARSIGNER-21
>                 URL: https://jira.codehaus.org/browse/MJARSIGNER-21
>             Project: Maven 2.x Jar Signer Plugin
>          Issue Type: Bug
>    Affects Versions: 1.2
>         Environment: Java 7, Maven 2.2.1
>            Reporter: Mike Calmus
>            Priority: Critical
>
> Using the plugin with Java 6 works fine. When I use it with Java 7, my applet 
> won't load because the SHA1 signatures are invalid.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to