Bug 740754 - Double signed jars causing 'jarsigner -verify' to fail.
Summary: Double signed jars causing 'jarsigner -verify' to fail.
Alias: None
Product: JBoss Enterprise BRMS Platform 5
Classification: JBoss
Component: Build Process
Version: BRMS 5.2.0.GA
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Ryan Zhang
QA Contact: Petr Široký
Depends On:
TreeView+ depends on / blocked
Reported: 2011-09-23 08:44 UTC by Petr Široký
Modified: 2014-10-15 17:26 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-10-15 17:26:14 UTC
Type: Bug

Attachments (Terms of Use)

Description Petr Široký 2011-09-23 08:44:00 UTC
Description of problem:
There are several jars in BRMS 5.2.0 that are double signed. There is signature file from JBoss and then other one from original vendor. Because of this, 'jarsigner' utility is failing when trying to verify signatures.

These jars are double signed:
bcmail-jdk14-138.jar (located for example in jboss-brms.war/WEB-INF/lib/)
bcprov-jdk14-138.jar (located for example in jboss-brms.war/WEB-INF/lib/)
seam/lib/gen/core.jar (only in standalone distribution)

Example output:
$ jarsigner -verify jboss-brms.war/WEB-INF/lib/bcmail-jdk14-138.jar
jarsigner: java.lang.SecurityException: invalid SHA1 signature file digest for org/bouncycastle/cms/CMSSignedDataStreamGenerator$TeeOutputStream.class

Additional info:
If the signature files from original vendor are removed, the verifying is successful.

Comment 1 Prakash Aradhya 2011-09-23 09:33:57 UTC
Is this breaking what we did in 5.1 release ?

Comment 2 Petr Široký 2011-09-23 09:54:28 UTC
AFAIK the jars weren't signed (from JBoss) in 5.1.0 release. So yes, in some way, this is breaking what we did in 5.1. It would be nice to have it fixed, but I think it is not that serious.

Comment 3 Douglas Palmer 2011-09-23 10:38:24 UTC
You should get exactly the same error when the jvm attempts to load the jars, this is serious.

Comment 4 Petr Široký 2011-09-23 14:46:20 UTC
Oh, sorry I did not realized that. Thanks for pointing it out Doug. Currently we are not getting such error, when running Guvnor. It is probably because the badly signed jars are not loaded by jvm.

Comment 5 Douglas Palmer 2011-09-27 13:48:23 UTC
There is an inbound Mead fix for the double signing issue; the patch should be applied before Thursday. The fix will remove all existing signatures from a jar before signing with the JBoss key.

Comment 6 Ryan Zhang 2011-09-30 07:23:52 UTC
The incorrect signed jars are handled manually and this issue is fixed in ER5 release. So I change the status to ON_QA.

Comment 7 Lukáš Petrovický 2011-09-30 08:25:04 UTC
VERIFIED fixed in ER5

Note You need to log in before you can comment on or make changes to this bug.