0

I am building a shaded jar from dependencies and while using this shaded jar, I came across this exception:

Exception in thread "main" java.lang.SecurityException: no manifiest section for signature file

I was able to fix it by excluding the signed jars from shaded jar and using those jars directly but I came across following SO questions on the same topic:

Maven shade jar throw exception

How can I exclude *.DSA and *.SF files from shaded jar?

"Invalid signature file" when attempting to run a .jar

Valid JAR signature for JavaFX projects

which suggest that we can resolve the problem by excluding the files that sign these jars.

But my question is, is that the right and legal way ? For example, one of the signed jars that I was using was mssql-jdbc-6.4.0.jre7.jar signed by Microsoft. Microsoft must have signed it for legal and/or security reasons.

Is my understanding wrong?

tryingToLearn
  • 10,691
  • 12
  • 80
  • 114
  • What do you mean with "right and legal"? Do you mean whether you will violate licenses and possible go to jail? – Erwin Bolwidt Mar 15 '18 at 09:38
  • I was not thinking that extreme but what I fail to understand is that when there is a way to use an unsigned version of same jar why did the company sign it in the first place? – tryingToLearn Mar 15 '18 at 09:40
  • @theLearner To make sure it is created by the company. If you repackage it, you can't keep the signature. – lexicore Mar 15 '18 at 09:50
  • @lexicore ok and whether I can repackage it or not will depend on the license, right? For e.g. if a jar has an apache license, I can repackage it. – tryingToLearn Mar 15 '18 at 09:52
  • @theLearner IANAL and won't comment on the Apache License. But, generally, yes, you have to consider licenses, especially when you repackage or redistribute anything. – lexicore Mar 15 '18 at 09:53
  • If a package is already Apache Licensed why do you need to repackage it? Does not make sense...just use it as a dependency... – khmarbaise Mar 15 '18 at 11:52
  • One more thing.. If you create a shaded jar you already violating the integrity of the single jar files which them self have checksums and signatures...If this is legal for this question you should ask a lawyer in particular related to those files from Microsoft etc.also for the other files... – khmarbaise Mar 15 '18 at 12:04
  • @khmarbaise I used **Apache** just for an example. Could you please elaborate **violating integrity of a single jar** – tryingToLearn Mar 16 '18 at 04:00

0 Answers0