Hello, after upgrading Java Web Start to 8u141 an application fails to start with a JAR verification error:
com.sun.deploy.net.JARSigningException: Signatur konnte nicht verifiziert werden in Ressource: http://localhost:10000/seeburger/app/commons-httpclient.jar at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source) at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source) at com.sun.deploy.cache.CacheEntry.processJar(Unknown Source) at com.sun.deploy.cache.CacheEntry.access$2700(Unknown Source) at com.sun.deploy.cache.CacheEntry$7.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source) at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source) at com.sun.deploy.cache.Cache.downloadResourceToTempFile(Unknown Source) at com.sun.deploy.cache.Cache.downloadResourceToCache(Unknown Source) at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source) at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source) at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source) at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source) at com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) java.lang.SecurityException: digest missing for org/apache/commons/httpclient at sun.security.util.ManifestEntryVerifier.verify(ManifestEntryVerifier.java:202) at java.util.jar.JarVerifier.processEntry(JarVerifier.java:243) at java.util.jar.JarVerifier.update(JarVerifier.java:211) at java.util.jar.JarVerifier$VerifierStream.<init>(JarVerifier.java:457) at java.util.jar.JarFile.getInputStream(JarFile.java:464) at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source) at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source) If I use jarsigner -verify (from 8u141) on that file it does not show a problem. The file also worked with 8u131. We signed that file ourself and I am not sure when the broken entry is generated, it looks like: Manifest-Version: 1.0 Ant-Version: Apache Ant 1.6.5 Built-By: oleg Maven-Version: 1.1 Created-By: 1.5.0_11-b03 (Sun Microsystems Inc.) Name: org/apache/commons/httpclient/Header.class SHA-256-Digest: 5HHGzly6O0szGtB9rGU+bY2PXW54N9EmRkoz9g5QFEQ= ... Name: org/apache/commons/httpclient/methods/multipart/PartSource.class SHA-256-Digest: mk7TML731ZpUoSypwlvr2qtT67lwUgxl7FwSZ+/6B6s= Name: org/apache/commons/httpclient Implementation-Title: org.apache.commons.httpclient Implementation-Version: 3.1 X-Compile-Target-JDK: 1.2 Specification-Vendor: Apache Software Foundation Specification-Title: Jakarta Commons HttpClient Implementation-Vendor-Id: org.apache Extension-name: org.apache.commons.httpclient X-Compile-Source-JDK: 1.2 Specification-Version: 3.1 Implementation-Vendor: Apache Software Foundation Name: org/apache/commons/httpclient/methods/multipart/FilePart.class SHA-256-Digest: uCUbczb7+sVYzJ+pxl+I6Qk3SBS6xeztmAOJvuUzmsM= ... This structure is created by JAR signer becaue the original apache artifact manifest looks like this: Manifest-Version: 1.0 Ant-Version: Apache Ant 1.6.5 Created-By: 1.5.0_11-b03 (Sun Microsystems Inc.) Built-By: oleg Maven-Version: 1.1 Name: org/apache/commons/httpclient Extension-name: org.apache.commons.httpclient Specification-Title: Jakarta Commons HttpClient Specification-Vendor: Apache Software Foundation Specification-Version: 3.1 Implementation-Title: org.apache.commons.httpclient Implementation-Vendor: Apache Software Foundation Implementation-Version: 3.1 Implementation-Vendor-Id: org.apache X-Compile-Source-JDK: 1.2 X-Compile-Target-JDK: 1.2 I think different jarsigner versions behave differently, some remove that section. jarsigner -verify should be as strict as JWS. JWS should probalbly ignroe sections like that like before. Gruss Bernd
