smarkwal opened a new issue #3: Bug: Removing signature from JAR file with JCE providers leads to SecurityException URL: https://github.com/apache/tomcat-jakartaee-migration/issues/3 If this migration tool removes the cryptographic signature from a JAR file which contains JCE providers (e.g., Bouncy Castle), Java refuses to use these providers afterward: ``` java.lang.SecurityException: JCE cannot authenticate the provider BC [...] Caused by: java.util.jar.JarException: file:/tmp/[...]/bcprov-ext-jdk15on-1.65.jar has unsigned entries - org/bouncycastle/LICENSE.class ``` I see two possible solutions: 1. If the classes in a JAR file do not have dependencies on Java EE classes, the JAR file is not touched by this migration tool. This means that the signature remains intact. 2. If a JAR file contains JCE providers, it is not touched by this migration tool. Instead, a warning is printed. I think that solution 1 is easier to implement, since it does not require special knowledge about JCE providers (or other features which require signed JAR files). Bouncy Castle's main JAR file does not have dependencies on any Java EE classes. This means that both solutions would work for it.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
