Invalid signature file when attempting to run a jar

Question

My java program is packaged in a jar file and makes use of an external jar library  bouncy castle  My code compiles fine  but running the jar leads to the following error   Exception in thread  main  java lang SecurityException  Invalid signature file digest for Manifest main attributes  I ve googled for over an hour searching for an explanation and found very little of value  If anyone has seen this error before and could offer some help  I would be obliged

User · Answer

Compare the folder META-INF in new jar with old jar  before you added new libraries   It is possibility that there will be new files  If yes  you can remove them  It should helps  Regards  999michal

User · Answer

I had the same issue in gradle when creating a fat Jar  updating the build gradle file with an exclude line corrected the issue   jar       from           configurations compile collect               it isDirectory     it   zipTree it                      exclude  META-INF   RSA    META-INF   SF   META-INF   DSA      manifest           attributes  Main-Class    com test Main

User · Answer

Assuming you build your jar file with ant  you can just instruct ant to leave out the META-INF dir  This is a simplified version of my ant target    lt jar destfile  app jar  basedir    classes dir   gt       lt zipfileset excludes  META-INF       src    lib dir  bcprov-jdk16-145 jar  gt  lt  zipfileset gt       lt manifest gt           lt attribute name  Main-Class  value  app Main   gt       lt  manifest gt   lt  jar gt

User · Answer

A strategy would consist in using ANT to simplify the removal of the signature from each Jar file  It would proceed with the following steps    Copying the MANIFEST MF in a temporary file  Removing the Name and SHA entries from the temporary file Creating a temporary Jar file with the temporary manifest Removing the temporary manifest Swapping the original Jar file with the temporary one   Here is an ANT macrodef doing the work    lt macrodef name  unsignjar  description  To unsign a specific Jar file  gt       lt attribute name  jarfile           description  The jar file to unsign    gt       lt sequential gt   lt  -- Copying to the temporary manifest file -- gt           lt copy toFile    jarFile  MANIFEST tmp  gt               lt resources gt                   lt zipentry zipfile    jarFile   name  META-INF MANIFEST MF   gt               lt  resources gt           lt  copy gt   lt  -- Removing the Name and SHA entries from the temporary file -- gt           lt replaceregexp file    jarFile  MANIFEST tmp  match   nName       nSH  replace  SH  flags  gis  byline  false   gt           lt replaceregexp file    jarFile  MANIFEST tmp  match  SHA      replace    flags  gis  byline  false   gt   lt  -- Creating a temporary Jar file with the temporary manifest -- gt           lt jar jarfile    jarFile  tmp              manifest    jarFile  MANIFEST tmp  gt               lt zipfileset src    jarFile   gt                   lt include name       gt                   lt exclude name  META-INF   SF   gt                   lt exclude name  META-INF   DSA   gt                   lt exclude name  META-INF   RSA   gt               lt  zipfileset gt           lt  jar gt   lt  -- Removing the temporary manifest -- gt           lt delete file    jarFile  MANIFEST tmp    gt   lt  -- Swapping the original Jar file with the temporary one -- gt           lt move file    jarFile  tmp                tofile    jarFile                 overwrite  true    gt   lt  sequential gt       The definition can then be called this way in an ANT task    lt target name  unsignJar  gt       lt unsignjar jarFile  org test myjartounsign jar    gt   lt  target gt

User · Answer

Please use the following command  zip -d yourjar jar  META-INF   SF   META-INF   RSA   META-INF  SF

User · Answer

Some of your dependencies are likely signed jarfiles  When you combine them all into one big jarfile  the corresponding signature files are still present  and no longer match the  quot big combined quot  jarfile  so the runtime halts thinking the jar file has been tampered with  which it   has so to speak   Assuming you re using ant  you can solve the problem by eliminating the signature files from your jarfile dependencies  Unfortunately  it s not possible to do this in one step in ant  However  I was able to get this working with Ant in two steps  without specifically naming each jarfile dependency  by using   lt target name  quot jar quot  depends  quot compile quot  description  quot Create one big jarfile  quot  gt       lt jar jarfile  quot   output dir  deps jar quot  gt           lt zipgroupfileset dir  quot jars quot  gt               lt include name  quot      jar quot    gt           lt  zipgroupfileset gt       lt  jar gt       lt sleep seconds  quot 1 quot    gt       lt jar jarfile  quot   output dir  myjar jar quot  basedir  quot   classes dir  quot  gt           lt zipfileset src  quot   output dir  deps jar quot  excludes  quot META-INF   SF quot    gt           lt manifest gt               lt attribute name  quot Main-Class quot  value  quot com mycompany MyMain quot    gt           lt  manifest gt       lt  jar gt   lt  target gt   The sleep element is supposed to prevent errors about files with modification dates in the future  Other variations I found in the linked threads didn t work for me

User · Answer

This happened to me in Intellij when I clicked  Add as a Maven Project  on bottom line when Intellij said  non-managed pom files found    Meanwhile out folder was already generated  So it did not get recent changes   Deleting out folder and running the program solved the issue for me  out folder was then recreated   See the answer of Little Fox as well  The error I received was very similar to his

User · Answer

Error  A JNI error has occurred  please check your installation and try again   Exception in thread  main  java lang SecurityException  Invalid signature file digest for Manifest main attributes       at sun security util SignatureFileVerifier processImpl SignatureFileVerifier java 314        at sun security util SignatureFileVerifier process SignatureFileVerifier java 268        at java util jar JarVerifier processEntry JarVerifier java 316        at java util jar JarVerifier update JarVerifier java 228        at java util jar JarFile initializeVerifier JarFile java 383        at java util jar JarFile getInputStream JarFile java 450        at sun misc URLClassPath JarLoader 2 getInputStream URLClassPath java 977        at sun misc Resource cachedInputStream Resource java 77        at sun misc Resource getByteBuffer Resource java 160        at java net URLClassLoader defineClass URLClassLoader java 454        at java net URLClassLoader access 100 URLClassLoader java 73        at java net URLClassLoader 1 run URLClassLoader java 368        at java net URLClassLoader 1 run URLClassLoader java 362        at java security AccessController doPrivileged Native Method        at java net URLClassLoader findClass URLClassLoader java 361        at java lang ClassLoader loadClass ClassLoader java 424        at sun misc Launcher AppClassLoader loadClass Launcher java 331        at java lang ClassLoader loadClass ClassLoader java 357        at sun launcher LauncherHelper checkAndLoadMain LauncherHelper java 495    What helped me  IntelliJ IDEA 2016 3    File -  Project Structure -  Artifacts -  Add JAR -  Select Main Class -  Choose  copy to the output directory and link via manifest  -  OK -  Apply -  Build -  Build Artifacts    -  Build

User · Answer

I had a similar problem  The reason was that I was compiling using a JDK with a different JRE than the default one in my Windows box    Using the correct java exe solved my problem

User · Answer

If you re getting this when trying to bind JAR files for a Xamarin Android bindings project like so      JARTOXML   warning J2XA006  missing class error was raised while reflecting com your class   Invalid signature file digest for Manifest main attributes   Just open the JAR files using Winzip and delete the meta-inf directories  Rebuild - job done

User · Answer

Security is already a tough topic  but I m disappointed to see the most popular solution is to delete the security signatures  JCE requires these signatures  Maven shade explodes the BouncyCastle jar file which puts the signatures into META-INF  but the BouncyCastle signatures aren t valid for a new  uber-jar  only for the BC jar   and that s what causes the Invalid signature error in this thread   Yes  excluding or deleting the signatures as suggested by  ruhsuzbaykus does indeed make the original error go away  but it can also lead to new  cryptic errors   java security NoSuchAlgorithmException  PBEWithSHA256And256BitAES-CBC-BC SecretKeyFactory not available   By explicitly specifying where to find the algorithm like this   SecretKeyFactory getInstance  PBEWithSHA256And256BitAES-CBC-BC   BC      I was able to get a different error   java security NoSuchProviderException  JCE cannot authenticate the provider BC   JCE can t authenticate the provider because we ve deleted the cryptographic signatures by following the suggestion elsewhere in this same thread   The solution I found was the executable packer plugin that uses a jar-in-jar approach to preserve the BouncyCastle signature in a single  executable jar   UPDATE   Another way to do this  the correct way   is to use Maven Jar signer  This allows you to keep using Maven shade without getting security errors  HOWEVER  you must have a code signing certificate  Oracle suggests searching for  Java Code Signing Certificate    The POM config looks like this    lt plugin gt       lt groupId gt org apache maven plugins lt  groupId gt       lt artifactId gt maven-shade-plugin lt  artifactId gt       lt version gt 3 1 0 lt  version gt       lt executions gt           lt execution gt               lt phase gt package lt  phase gt               lt goals gt                   lt goal gt shade lt  goal gt               lt  goals gt               lt configuration gt                   lt filters gt                       lt filter gt                           lt artifact gt org bouncycastle   lt  artifact gt                           lt excludes gt                               lt exclude gt META-INF   SF lt  exclude gt                               lt exclude gt META-INF   DSA lt  exclude gt                               lt exclude gt META-INF   RSA lt  exclude gt                           lt  excludes gt                       lt  filter gt                   lt  filters gt                   lt transformers gt                       lt transformer implementation  org apache maven plugins shade resource ManifestResourceTransformer  gt                           lt mainClass gt your class here lt  mainClass gt                       lt  transformer gt                   lt  transformers gt                   lt shadedArtifactAttached gt true lt  shadedArtifactAttached gt               lt  configuration gt           lt  execution gt       lt  executions gt   lt  plugin gt   lt plugin gt       lt groupId gt org apache maven plugins lt  groupId gt       lt artifactId gt maven-jarsigner-plugin lt  artifactId gt       lt version gt 1 4 lt  version gt       lt executions gt           lt execution gt               lt id gt sign lt  id gt               lt goals gt                   lt goal gt sign lt  goal gt               lt  goals gt           lt  execution gt           lt execution gt               lt id gt verify lt  id gt               lt goals gt                   lt goal gt verify lt  goal gt               lt  goals gt           lt  execution gt       lt  executions gt       lt configuration gt           lt keystore gt  path to myKeystore lt  keystore gt           lt alias gt myfirstkey lt  alias gt           lt storepass gt 111111 lt  storepass gt           lt keypass gt 111111 lt  keypass gt       lt  configuration gt   lt  plugin gt    No  there s no way to get JCE to recognize a self-signed cert  so if you need to preserve the BouncyCastle certs  you have to either use the jar-in-jar plugin or get a JCE cert

User · Answer

It s possible that two different signers mess up java mind   Try removing META-INF folder from jar  adding manifest and signing JAR again  it helped me  http   jehy ru articles 2013 12 13 invalid-signature-file-digest-for-manifest-main-attributes

User · Answer

The solution listed here might provide a pointer      Invalid signature file digest for Manifest main attributes   Bottom line        It s probably best to keep the official jar as   is and just add it as a dependency in the manifest file for your   application jar file

User · Answer

For those using gradle and trying to create and use a fat jar  the following syntax might help   jar       doFirst           from   configurations compile collect   it isDirectory     it   zipTree it                 exclude  META-INF   RSA    META-INF   SF   META-INF   DSA

User · Answer

I faced the same issue  after reference somewhere  it worked as below changing    lt plugin gt       lt groupId gt org apache maven plugins lt  groupId gt       lt artifactId gt maven-shade-plugin lt  artifactId gt       lt version gt 3 2 1 lt  version gt       lt configuration gt           lt createDependencyReducedPom gt false lt  createDependencyReducedPom gt       lt  configuration gt       lt executions gt           lt execution gt               lt phase gt package lt  phase gt               lt goals gt                   lt goal gt shade lt  goal gt               lt  goals gt               lt configuration gt                   lt filters gt                       lt filter gt                           lt artifact gt     lt  artifact gt                           lt excludes gt                               lt exclude gt META-INF   SF lt  exclude gt                               lt exclude gt META-INF   DSA lt  exclude gt                               lt exclude gt META-INF   RSA lt  exclude gt                           lt  excludes gt                       lt  filter gt                   lt  filters gt               lt  configuration gt           lt  execution gt       lt  executions gt   lt  plugin gt

User · Answer

For those who have trouble with the accepted solution  there is another way to exclude resource from shaded jar with DontIncludeResourceTransformer   https   maven apache org plugins maven-shade-plugin examples resource-transformers html DontIncludeResourceTransformer             lt transformers gt               lt transformer implementation  org apache maven plugins shade resource DontIncludeResourceTransformer  gt                   lt resource gt BC1024KE DSA lt  resource gt               lt  transformer gt             lt  transformers gt    From Shade 3 0  this transformer accepts a list of resources  Before that you just need to use multiple transformer each with one resource

User · Answer

I ve recently started using IntelliJ on my projects  However  some of my colleagues still use Eclipse on the same projects  Today  I ve got the very same error after executing the jar-file created by my IntelliJ   While all the solutions in here talking about almost the same thing  none of them worked for me easily  possibly because I don t use ANT  maven build gave me other errors which referred me to http   cwiki apache org confluence display MAVEN MojoExecutionException  and also I couldn t figure out what are the signed jars by myself    Finally  this helped me   zip -d demoSampler jar  META-INF   SF   META-INF   RSA   META-INF  SF    Guess what s been removed from my jar file    deleting  META-INF ECLIPSE  SF  deleting  META-INF ECLIPSE  RSA   It seems that the issue was relevant to some eclipse-relevant files

User · Answer

In case you re using gradle  here is a full farJar task   version    1 0    create a single Jar with all dependencies task fatJar type  Jar        manifest           attributes  Implementation-Title    Gradle Jar File Example                  Implementation-Version   version               Main-Class    com example main            baseName   project name    -all      from   configurations compile collect   it isDirectory     it   zipTree it          exclude  META-INF   RSA    META-INF   SF   META-INF   DSA       with jar

User · Answer

For those who got this error when trying to create a shaded uber-jar with maven-shade-plugin  the solution is to exclude manifest signature files by adding the following lines to the plugin configuration   lt configuration gt       lt filters gt           lt filter gt               lt artifact gt     lt  artifact gt               lt excludes gt                   lt exclude gt META-INF   SF lt  exclude gt                   lt exclude gt META-INF   DSA lt  exclude gt                   lt exclude gt META-INF   RSA lt  exclude gt               lt  excludes gt           lt  filter gt       lt  filters gt       lt  -- Additional configuration  -- gt   lt  configuration gt

User · Answer

If you are looking for a Fat JAR solution without unpacking or tampering with the original libraries but with a special JAR classloader  take a look at my project here   Disclaimer  I did not write the code  just package it and publish it on Maven Central and describe in my read-me how to use it   I personally use it for creating runnable uber JARs containing BouncyCastle dependencies  Maybe it is useful for you  too

User · Answer

I had this problem when using IntelliJ IDEA 14 01    I was able to fix it by   File- Project Structure- Add New  Artifacts - jar- From Modules With Dependencies on the Create Jar From Module Window   Select you main class  JAR File from Libraries Select copy to the output directory and link via manifest

[java] "Invalid signature file" when attempting to run a .jar

Examples related to java

Examples related to jar

Examples related to executable-jar