Bug 780978 (SOA-3447)

Summary: Problem in jar signatures
Product: [JBoss] JBoss Enterprise SOA Platform 5 Reporter: Martin Vecera <mvecera>
Component: Build Process, SecurityAssignee: Douglas Palmer <dpalmer>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.2.0.ER4CC: ldimaggi
Target Milestone: ---   
Target Release: 5.2.0 GA, 5.2.0.ER6   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/SOA-3447
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-03 08:15:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Martin Vecera 2011-10-06 13:37:24 UTC 
project_key: SOA

There are some problems during verification of jar files signatures (error about expired certificate is ignored):

Verifying file: seam/lib/gen/core.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Verifying file: jboss-as/server/all/deploy/soapui-client.sar/lib/soap-xmlbeans-1.2.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Verifying file: jboss-as/server/production/deploy/soapui-client.sar/lib/soap-xmlbeans-1.2.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Verifying file: jboss-as/server/default/deploy/soapui-client.sar/lib/soap-xmlbeans-1.2.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Verifying manifest file Manifest/MANIFEST.MF
[ERROR] Manifest file not found.

Some files (seam/lib/gen/core.jar) seem to contain 3rd party signatures (Eclipse).
Comment 1 Len DiMaggio 2011-10-06 13:46:33 UTC 
Are files being changed after they are signed? Is this the cause?

http://download.oracle.com/javase/tutorial/deployment/jar/verify.html
Comment 2 Douglas Palmer 2011-10-06 14:01:37 UTC 
The jars are double signed; a recent mead update will remove the third party signatures so this should be fixed in ER5.
Comment 3 Len DiMaggio 2011-10-19 20:11:12 UTC 
Still an issue in ER5:

Verifying file: seam/lib/gen/core.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Verifying file: jboss-as/server/all/deploy/soapui-client.sar/lib/soap-xmlbeans-1.2.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Verifying file: jboss-as/server/default/deploy/soapui-client.sar/lib/soap-xmlbeans-1.2.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Verifying file: jboss-as/server/production/deploy/soapui-client.sar/lib/soap-xmlbeans-1.2.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

https://hudson.qa.jboss.com/hudson/view/SOA-Release/job/soa-signatures/56/bits_type=EMBEDDED,jdk=java16_default,label=RHEL_any/artifact/report.txt
Comment 4 Douglas Palmer 2011-10-21 08:39:49 UTC 
The signing changes didn't make it into Mead in time for ER5 but they are in now.
Comment 5 David Le Sage 2011-10-27 05:00:03 UTC 
Release Notes Docs Status: Added: Not Required
Writer: Added: dlesage
Comment 6 Martin Vecera 2011-11-03 08:15:20 UTC 
Verified with ER6