OLD FORUM - Use new one: https://www.CaptainCasa.online/forum

Hi,
we accidentally found out, that the signed JAR jpedal.jar from the CC FX tools contains an invalid signature. You can verify this bis running
Code:

eclnt\libfx> jarsigner -verify -verbose jpedal.jar

My output was the following:
Code:

jarsigner: java.lang.SecurityException: invalid SHA1 signature file digest for org/jpedal/objects/PdfData.class

This would not be a huge problem right now, but some new tests in our build system failed because of the failing JAR verification.
Can you do something to get a properly signed JAR delivered alongside CaptainCasa?

BR

Hello,

we had a similiar issue when validating jar files. But in our case, the jar files were signed twice. Take a look at my post: http://www.captaincasademo.com/forum/posts/list/1831.page

Tobias

Hi,
thanks for the fast reply! But the JAR is a lib that CC uses. Thus, I cannot alter how it is signed. But right, it has two digests in the Manifest.mf file.
Nevertheless, jarsigner complains. Any idea how to convince the tool that the classes have a valid signature?

BR

You can sign the jar on your own, that's what we do. Or you can wait for the next Update (and hope that the fix is included which I think it will).

Tobias

Found the section it the documentation about the digestalg:

-digestalg algorithm
Specifies the name of the message digest algorithm to use when digesting the entries of a jar file.
See Appendix A of the Java Cryptography Architecture for a list of standard message digest algorithm names. If this option is not specified, SHA256 will be used. There must either be a statically installed provider supplying an implementation of the specified algorithm or the user must specify one with the -providerClass option, otherwise the command will not succeed.

This can be passed to your call of jarsigner. Try this

jarsigner -verify -verbose -digestalg SHA1 jpedal.jar

The documentation comes form Java 7, so I assume that you call jarsigner with Java 7.

Yes, Java7_u25 in use. But
Code:

jarsigner: java.lang.SecurityException: invalid SHA1 signature file digest for org/jpedal/objects/PdfData.class

We use CC version 4_0_20130527.

Well, then I guess you will have to wait for the next update I guess...

Hi,

Tobias was right with the assumption that the jar file was signed twice...
We removed the original signature now, so the CaptainCasa one is the one left.

Fix is available in next update.

Thanks + regards!
Björn

Hi,
okay, the second signature has been removed now, but the JAR signer still complains about an invalid signature. Don't know why.

BR