Question about unsigned manifest entry in log4j-1.2.17.jar

Thu, 09 Jul 2015 13:51:12 -0700 

Hi all,
                I know that the 1.2 version is at EOL, and you've probably been 
asked this about a million times (although I can't find a mention doing a Jira 
search: "Zarro Boogs found.")  Anyway, here's the scenario:

*         Using some other Apache Commons libraries (Commons VFS, Commons Lang, 
etc.) and some other 3rd party jars also, so I end up using 
slf4j-log4j12-1.7.5.jar and then Log4J 1.2 (1.2.17 to be exact).

*         This is an applet, so after Java 1.7.0_51 the applet has to be 
signed.  No problem, buy a GoDaddy cert, sign all the .jars.

*         Deploy the app and I'm still getting a security violation, and it 
*seems* to be from Log4j-1.2.17.jar which shows this in the log:
cache: signed entry "org.apache.log4j" missing from jar http://..../log4j.jar   
(renamed, but same file as log4j-1.2.17.jar)
cache: Create from verifier: JarSigningData{hasOnlySignedEntries=true, 
hasSingleCodeSource=true, hasMissingSignedEntries=true}

*         The original manifest of the unsigned jar shows this:
Manifest has 1 entries
---- Manifest entries for '..\lib\log4j-1.2.17.jar' ----
Attributes for "org.apache.log4j":
    Implementation-Title: log4j
    Implementation-Version: 1.2.17
    DynamicImport-Package: *
    Implementation-Vendor: "Apache Software Foundation"

*         The signed jar shows this:
...
Attributes for "org/apache/log4j/net/SocketAppender.class":
    SHA-256-Digest: LxFYm4tW+Kv9eFGwLKiLhfNBAN9MsCR+LK0sf2nYqvA=
Attributes for "org.apache.log4j":
    Implementation-Title: log4j
    Implementation-Version: 1.2.17
    DynamicImport-Package: *
    Implementation-Vendor: "Apache Software Foundation"
Attributes for 
"org/apache/log4j/lf5/viewer/LogBrokerMonitor$LogBrokerMonitorWindowAdaptor.class":
    SHA-256-Digest: dhhD0bg0wh1M57GTaR48TXmWFyrCHPH79QFgq1a+rSw=
...

*         Notice that this original manifest entry is not signed (no 
SHA-256-Digest entry).

*         But "jarsigner -verify" reports everything as correct.

So, since 1.2 is EOL, any suggestions as to how I can resolve this issue?  I 
suppose I can redo my logging bridges to use log4j-2.x, but does it have the 
same issue with the manifest entry?  Or am I barking up the wrong tree and this 
really isn't the source of my security errors in the applet (although all the 
other jars report:  cache: Create from verifier: 
JarSigningData{hasOnlySignedEntries=true, hasSingleCodeSource=true, 
hasMissingSignedEntries=false} except "log4j.jar").

Pardon if this should go to the users list, but I'm not subscribed there 
currently...

Thanks,
~Roger Whitcomb
Apache Pivot PMC Chair

Reply via email to