Description of problem: There are several jars in BRMS 5.2.0 that are double signed. There is signature file from JBoss and then other one from original vendor. Because of this, 'jarsigner' utility is failing when trying to verify signatures. These jars are double signed: bcmail-jdk14-138.jar (located for example in jboss-brms.war/WEB-INF/lib/) bcprov-jdk14-138.jar (located for example in jboss-brms.war/WEB-INF/lib/) seam/lib/gen/core.jar (only in standalone distribution) Example output: $ jarsigner -verify jboss-brms.war/WEB-INF/lib/bcmail-jdk14-138.jar jarsigner: java.lang.SecurityException: invalid SHA1 signature file digest for org/bouncycastle/cms/CMSSignedDataStreamGenerator$TeeOutputStream.class Additional info: If the signature files from original vendor are removed, the verifying is successful.
Is this breaking what we did in 5.1 release ?
AFAIK the jars weren't signed (from JBoss) in 5.1.0 release. So yes, in some way, this is breaking what we did in 5.1. It would be nice to have it fixed, but I think it is not that serious.
You should get exactly the same error when the jvm attempts to load the jars, this is serious.
Oh, sorry I did not realized that. Thanks for pointing it out Doug. Currently we are not getting such error, when running Guvnor. It is probably because the badly signed jars are not loaded by jvm.
There is an inbound Mead fix for the double signing issue; the patch should be applied before Thursday. The fix will remove all existing signatures from a jar before signing with the JBoss key.
The incorrect signed jars are handled manually and this issue is fixed in ER5 release. So I change the status to ON_QA.
VERIFIED fixed in ER5