116

I am trying to run the jar file of my project. I am working on intelliJ and have use artifacts to generate the jar file. But everytime i am trying to run my jar file its giving me exception.

java.lang.SecurityException: Invalid signature file digest for Manifest main attributes
    at sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:284)
    at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:238)
    at java.util.jar.JarVerifier.processEntry(JarVerifier.java:316)
    at java.util.jar.JarVerifier.update(JarVerifier.java:228)
    at java.util.jar.JarFile.initializeVerifier(JarFile.java:383)
    at java.util.jar.JarFile.getInputStream(JarFile.java:450)
    at sun.misc.JarIndex.getJarIndex(JarIndex.java:137)
    at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:839)
    at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:831)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:830)
    at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:803)
    at sun.misc.URLClassPath$3.run(URLClassPath.java:530)
    at sun.misc.URLClassPath$3.run(URLClassPath.java:520)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.misc.URLClassPath.getLoader(URLClassPath.java:519)
    at sun.misc.URLClassPath.getLoader(URLClassPath.java:492)
    at sun.misc.URLClassPath.getNextLoader(URLClassPath.java:457)
    at sun.misc.URLClassPath.getResource(URLClassPath.java:211)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:365)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:362)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:361)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
    at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:495)
Error: A JNI error has occurred, please check your installation and try again
Exception in thread "main"

And this is my manifest file:

Manifest-Version: 1.0
Main-Class: Main

The project's external libraries:

enter image description here

Dave Jarvis
  • 30,436
  • 41
  • 178
  • 315
Fay007
  • 2,707
  • 3
  • 28
  • 58
  • 1
    It's a bit late but I'll comment: your dependencies include at least one signed jar. You should not extract the dependencies as explained here: http://stackoverflow.com/questions/41746177/how-do-i-create-a-runnable-jar-in-intellij-as-i-would-in-eclipse/43855741#43855741 –  May 16 '17 at 09:43

11 Answers11

118

Some of your dependency JARs is a signed JAR, so when you combine then all in one JAR and run that JAR then signature of the signed JAR doesn't match up and hence you get the security exception about signature mis-match.

To fix this you need to first identify which all dependency JARs are signed JARs and then exclude them. Depending upon whether you are using MAVEN or ANT, you have to take appropriate solution. Below are but you can read more here, here and here.

Maven:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <version>2.6</version>
    <executions>
        <execution>
            <id>unpack-dependencies</id>
            <phase>package</phase>
            <goals>
                <goal>unpack-dependencies</goal>
            </goals>
            <configuration>
                <excludeScope>system</excludeScope>
                <excludes>META-INF/*.SF,META-INF/*.DSA,META-INF/*.RSA</excludes>
                <excludeGroupIds>junit,org.mockito,org.hamcrest</excludeGroupIds>
                <outputDirectory>${project.build.directory}/classes</outputDirectory>
            </configuration>
        </execution>
    </executions>
</plugin>

ANT:

<jar destfile="app.jar" basedir="${classes.dir}">
    <zipfileset excludes="META-INF/**/*" src="${lib.dir}/bcprov-jdk16-145.jar"></zipfileset>
    <manifest>
        <attribute name="Main-Class" value="app.Main"/>
    </manifest>
</jar>

Update based on OP's comment:

"sqljdbc4.jar" was the signed JAR in OP's external libraries. So, following above approach to systematically exclude the signature related files like .SF, .RSA or .DES or other algorithms files is the right way to move forward.

If these signature files are not excluded then security exception will occur because of signature mismatch.

How to know if a JAR is signed or not?: If a JAR contains files like files like .SF, .RSA or .DES or other algorithms files, then it is a signed JAR. Or run jarsigner -verify jarname.jar and see if it outputs "verified"

Michael M.
  • 10,486
  • 9
  • 18
  • 34
hagrawal7777
  • 14,103
  • 5
  • 40
  • 70
  • i don't see any file like those in my project – Fay007 Jan 19 '16 at 04:24
  • This seems to be the most useful answer/advice – Sharat Chandra Nov 11 '16 at 19:04
  • 4
    I am using Maven but this did not solved it, are there any new solution for it. @hagrawal ? – JollyRoger Apr 05 '18 at 06:29
  • @JollyRoger What did you try, can you please provide details. Also, try directly excluding the signed JAR. – hagrawal7777 Apr 05 '18 at 07:27
  • @hagrawal I actually opened the jar manifest.mf and deleted .sf, .rsa files and it solved. Thanks – JollyRoger Apr 05 '18 at 07:29
  • 8
    the correct way to specify multiple exclusions should be in a comma separated list, like this: "META-INF/*.SF,META-INF/*.DSA,META-INF/*.RSA"; otherwise only the last one will be excluded – negste Feb 01 '19 at 13:15
  • I am trying this. IntelliJ says that the exclude-tags do not belong there (i.e configuration-tag). – awesomemypro Dec 13 '19 at 06:33
  • 5
    Using dependency-plugin did not help me, but the filters can also be configured in shade-plugin https://stackoverflow.com/questions/64063528/failsafe-error-invalid-signature-file-digest-for-manifest-main-attributes-whe/64063529#64063529 – Ludwik Sep 25 '20 at 11:48
  • FWIW appears you only have to exclude the `*.SF` files, then it works... – rogerdpack Nov 24 '20 at 18:43
  • find . -iname "*.jar" -exec sh -c 'jarsigner -verify {} | grep -q unsigned' \; -exec echo 'Unsigned jar: {}' \; – caduceus May 25 '21 at 11:13
  • Thanks @caduceus, I found the inverse to be much more helpful in identifying the culprit (conscrypt-openjdk-uber) `find . -iname "*.jar" -exec sh -c 'jarsigner -verify {} | grep -q verified' \; -exec echo 'Verified jar: {}' \;` – Sam Barnum Sep 20 '22 at 01:00
58

just filter the signature files from your uber jar

 <plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-shade-plugin</artifactId>
    <version>3.2.4</version>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>shade</goal>
            </goals>
            <configuration>
                <minimizeJar>true</minimizeJar>
                <filters>
                    <filter>
                        <artifact>*:*</artifact>
                        <excludes>
                            <exclude>META-INF/*.SF</exclude>
                            <exclude>META-INF/*.DSA</exclude>
                            <exclude>META-INF/*.RSA</exclude>
                        </excludes>
                    </filter>
                </filters>
            </configuration>
        </execution>
    </executions>
</plugin>
madx
  • 6,723
  • 4
  • 55
  • 59
tom
  • 1,647
  • 14
  • 15
  • 1
    This solution fixes the SecurityException for me, but the `` option breaks my app because it depends on a library that loads its XML parser via the ServiceLoader mechanism (so no static dependency on the parser). With `` enabled, maven-shade-plugin thinks the parser is unreachable code, eliminates it from the jar, and I get a `java.util.ServiceConfigurationError` from ServiceLoader. Removing `` from the above gets me to a working state! – Jonathan Fuerth Jan 18 '21 at 19:41
27

In my case, I am working with an uber-jar via maven-shade-plugin and @ruhsuzbaykus answer here was the solution. The strategy seems very similar to what @hagrawal proposes but the exclusions are added as a filter configuration of maven-shade-plugin.

luv2learn
  • 606
  • 8
  • 12
  • This is the best solution when using Vert.x with SQL Server JDBC driver. – Dalton Jan 02 '20 at 17:38
  • I've added an answer on that situation https://stackoverflow.com/questions/64063528/failsafe-error-invalid-signature-file-digest-for-manifest-main-attributes-whe/64063529#64063529 – Ludwik Sep 25 '20 at 11:47
20

In the compiled jar need to delete the security signed files. To do this follow this command

zip -d jarfile.jar 'META-INF/.SF' 'META-INF/.RSA' 'META-INF/*SF'

Rafael Parungao
  • 366
  • 3
  • 4
5

I've added below lines to my build.gradle.kts and it resolved the issue

tasks.withType<org.gradle.jvm.tasks.Jar>() {
    exclude("META-INF/BC1024KE.RSA", "META-INF/BC1024KE.SF", "META-INF/BC1024KE.DSA")
    exclude("META-INF/BC2048KE.RSA", "META-INF/BC2048KE.SF", "META-INF/BC2048KE.DSA")
}
theapache64
  • 10,926
  • 9
  • 65
  • 108
3

In my case, without use gradle or maven for build, I create Artifacts as Jar type enter image description here

After build Artifacts, I get a result is a jar file. I rename it to .rar (or .zip) and open it as archive file, then find META-INF folder and delete all find with .SF, .DSA, .RSA extension, rearchive it again and rename to .jar. DONE.

ThanhLD
  • 634
  • 5
  • 20
  • 2
    If you use [7-Zip](https://www.7-zip.org/), you can right click and press "Open archive", view the internal files, then directly delete the ones you need to. (much faster than extracting and recompressing) – Venryx May 22 '21 at 16:24
2

Instead of deleting the META-INF file, I changed the method in the Artifact definition. I deleted the "Extracted" library from the Artifact and added it again as "Put into Output Root".

This way the library will be incorporated without any changes in the new jar file, which I assume is the objective of signing the library...

By the way, I am also using the sqljdbc.jar.

Cristián Hidalgo
  • 21
  • 3
  • Worked like a charm and I also prefer this solution. I've seen in IntelliJ IDEA, File / Project Structure / Project Settings / Modules you can choose the scope of each libray: Compile, Test, Runtime, Provided. I don't know if this could also be related; I haven't worked with java for over a decade and am relearning. – Raúl Moreno Jan 27 '22 at 10:56
1

Based on Venryx's comment, you can just open the jar file as an archive in 7-Zip and delete the .RSA, .SF, and .DSA files directly. You can rebuild your artifact which depended on the signed library afterwards and the error should go away.

Sam
  • 261
  • 2
  • 11
1

For anyone working with an Android gradle application, you can resolve this by excluding the files in build.gradle in the packagingOptions section.

Here is an example:

packagingOptions {
  exclude 'META-INF/LICENSE'
  exclude 'META-INF/LICENSE.txt'
  exclude 'META-INF/MSFTSIG.SF'
  exclude 'META_INF/ECLIPSE_.SF'
  exclude("META-INF/*.kotlin_module")
}

Note: for some reason using regular expression (META-INF/*.SF) didn't work for me. So I have to give the complete name to work.

RustyTheBoyRobot
  • 5,891
  • 4
  • 36
  • 55
DS009
  • 169
  • 3
  • 5
  • 14
0

For the same problem,I have done clean install and issue gone. So clean install is one option by which you can build with fresh downloaded jars.

Anshu
  • 69
  • 2
  • 18
0

I had the same problem when running the application. At build step maven shade plugin warned me about overlapped resources. I realized that I have redundant jar dependency. After removing it, the problem was resolved.

 [INFO] Skipping pom dependency com.sun.xml.ws:jaxws-ri:pom:2.3.2 in the shaded jar.
 [WARNING] Discovered module-info.class. Shading will break its strong encapsulation.
 ...
 ...

 [WARNING] maven-shade-plugin has detected that some class files are
 [WARNING] present in two or more JARs. When this happens, only one
 [WARNING] single version of the class is copied to the uber jar.
sgorgulu
  • 46
  • 1
  • 4