Invalid Signature file digest - Maven solution

24 March 2015

Are you getting this exception ? 


Error: A JNI error has occurred, please check your installation and try again
Exception in thread "main" java.lang.SecurityException: Invalid signature file digest for Manifest main attributes
	at sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:284)
	at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:238)
	at java.util.jar.JarVerifier.processEntry(JarVerifier.java:273)
	at java.util.jar.JarVerifier.update(JarVerifier.java:228)
	at java.util.jar.JarFile.initializeVerifier(JarFile.java:383)

If you a mere mortal like I am and have got this SecurityException after adding a maven repository read on. The most basic cause of such a exception is some dependency define in pom.xml is pulling in jars which are singed. After building your application unzip the final jar that gets created for your application.

In my case its GitFx-1.0-SNAPSHOT.jar. Unzip GitFx-1.0-SNAPSHOT.jar or do a jar -xvf GitFx-1.0-SNAPSHOT.jar. Inspect the META_INF folder. You will find .RSA,.SF or .DSA present under META_INF. This is signed information. The best way to explain why one gets the exception at runtime is “Some of your dependencies are likely signed jarfiles. When you combine them all into one big jarfile, the corresponding signatures are no longer valid so the runtime halts.” - StackOverflow Answer[1]

Solution to fix this with maven-dependency-plugin. Small snippet of code in my pom.xml. 

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <version>2.6</version>
    <executions>
        <execution>
            <id>unpack-dependencies</id>
            <phase>package</phase>
            <goals>
                <goal>unpack-dependencies</goal>
            </goals>
            <configuration>
                <excludeScope>system</excludeScope>
                <excludes>META-INF/*.SF</excludes>
                <excludes>META-INF/*.DSA</excludes>
                <excludes>META-INF/*.RSA</excludes>
                <excludeGroupIds>junit,org.mockito,org.hamcrest</excludeGroupIds>
                <outputDirectory>${project.build.directory}/classes</outputDirectory>
            </configuration>
        </execution>
    </executions>
</plugin>
Line # 15,16 and 17 is where we prevent the signed information from going into our final consolidated jar file.

Some more information about the plugins configuration can be found here[2]

Hope this helps :)

References:

  1. Stack OverFlow
  2. Apache Maven - Unpacking Specific Artifacts
Comment Box is loading comments...