Hi Aruna & All, Eventhough "-digestalg SHA1" solves(or work as a workaround), I am not clear about the jarsigner's verification behaviour.
1. Suppose we are signing a JAR with SHA1 then signing SHA256 with the *same* *key* / alias verification *never fails*. 2. Signing a JAR with SHA1 then signing SHA256 with *different* *keys* / alias *broke* the verification. 3. Signing a JAR with SHA1 then again SHA1 with *same/different* *keys* /alias *never fails*(This is what we did to solve the issue). This is also reported in stackoverflow[1]. And according to the java doc[2], it says It is also possible for a JAR file to have mixed signatures. Any thoughts on it? [1] http://stackoverflow.com/questions/12614139/what-prevents-java-from-verifying-signed-jars-with-multiple-signature-algorithms [2] http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html#sthref18 On Sat, Mar 7, 2015 at 11:02 PM, Aruna Karunarathna <[email protected]> wrote: > Hi all, > > This was resolved by adding the following argument to the jarsigner > command. > > *-digestalg SHA1* > > This was suggested by Rasika, thanks for the suggestion. > > Further found that two default jarsigner algorithms for JDK6 and JDK8 > differs. > > Regards, > Aruna > > On Sat, Mar 7, 2015 at 3:34 PM, Aruna Karunarathna <[email protected]> wrote: > >> Hi all, >> >> When security manager enabled for products,(which is build using java 8 >> and signed using java8) following exception throws at the server start-up. >> >> JAVA_HOME environment variable is set to >> /home/aruna/software/java/jdk1.8.0_20 >> CARBON_HOME environment variable is set to >> /home/aruna/Downloads/signed_wso2as-6.0.0-SNAPSHOT >> java.lang.reflect.InvocationTargetException >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:483) >> at org.wso2.carbon.bootstrap.Bootstrap.loadClass(Bootstrap.java:63) >> at org.wso2.carbon.bootstrap.Bootstrap.main(Bootstrap.java:45) >> Caused by: java.lang.RuntimeException: invalid SHA1 signature file digest >> for org/eclipse/osgi/internal/module/MappedList.class >> at org.wso2.carbon.server.CarbonLauncher.launch(CarbonLauncher.java:117) >> at org.wso2.carbon.server.Main.launchCarbon(Main.java:162) >> at org.wso2.carbon.server.Main.main(Main.java:96) >> ... 6 more >> >> >> Further I've noticed that, org.eclipse.osgi_3.9.1.v20130814-1242.jar is >> already signed. >> *aruna@aruna:~$ jarsigner -verify >> unsigned_wso2as-6.0.0-SNAPSHOT/repository/components/plugins/org.eclipse.osgi_3.9.1.v20130814-1242.jar >> * >> *jar verified.* >> >> >> After signing the pack, sign verification throws the following exception. >> >> *aruna@aruna:~$ jarsigner -verify >> signed_wso2as-6.0.0-SNAPSHOT/repository/components/plugins/org.eclipse.osgi_3.9.1.v20130814-1242.jar >> * >> *jarsigner: java.lang.SecurityException: invalid SHA1 signature file >> digest for org/eclipse/osgi/internal/module/MappedList.class* >> >> However the packs are starting when signed from JDK6 and run in JDK8. >> >> So how to proceed with this issue, Highly appreciate your thoughts. >> >> [1]. https://wso2.org/jira/browse/CARBON-14877 >> >> Regards, >> Aruna >> -- >> >> *Aruna Sujith Karunarathna* | Software Engineer >> WSO2, Inc | lean. enterprise. middleware. >> #20, Palm Grove, Colombo 03, Sri Lanka >> Mobile: +94 71 9040362 | Work: +94 112145345 >> Email: [email protected] | Web: www.wso2.com >> >> > > > > -- > > *Aruna Sujith Karunarathna* | Software Engineer > WSO2, Inc | lean. enterprise. middleware. > #20, Palm Grove, Colombo 03, Sri Lanka > Mobile: +94 71 9040362 | Work: +94 112145345 > Email: [email protected] | Web: www.wso2.com > > -- With Regards, *Rasika Perera* Software Engineer M: +94 71 680 9060 E: [email protected] LinkedIn: http://lk.linkedin.com/in/rasika90 WSO2 Inc. www.wso2.com lean.enterprise.middleware
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
