Bug 780978 (SOA-3447) - Problem in jar signatures
Summary: Problem in jar signatures
Keywords:
Status: CLOSED NEXTRELEASE
Alias: SOA-3447
Product: JBoss Enterprise SOA Platform 5
Classification: JBoss
Component: Build Process, Security
Version: 5.2.0.ER4
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 5.2.0 GA,5.2.0.ER6
Assignee: Douglas Palmer
QA Contact:
URL: http://jira.jboss.org/jira/browse/SOA...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-06 13:37 UTC by Martin Vecera
Modified: 2011-11-03 08:15 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-11-03 08:15:20 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SOA-3447 0 None None None Never

Description Martin Vecera 2011-10-06 13:37:24 UTC 
project_key: SOA

There are some problems during verification of jar files signatures (error about expired certificate is ignored):

Verifying file: seam/lib/gen/core.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Verifying file: jboss-as/server/all/deploy/soapui-client.sar/lib/soap-xmlbeans-1.2.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Verifying file: jboss-as/server/production/deploy/soapui-client.sar/lib/soap-xmlbeans-1.2.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Verifying file: jboss-as/server/default/deploy/soapui-client.sar/lib/soap-xmlbeans-1.2.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Verifying manifest file Manifest/MANIFEST.MF
[ERROR] Manifest file not found.

Some files (seam/lib/gen/core.jar) seem to contain 3rd party signatures (Eclipse).
Comment 1 Len DiMaggio 2011-10-06 13:46:33 UTC 
Are files being changed after they are signed? Is this the cause?

http://download.oracle.com/javase/tutorial/deployment/jar/verify.html
Comment 2 Douglas Palmer 2011-10-06 14:01:37 UTC 
The jars are double signed; a recent mead update will remove the third party signatures so this should be fixed in ER5.
Comment 3 Len DiMaggio 2011-10-19 20:11:12 UTC 
Still an issue in ER5:

Verifying file: seam/lib/gen/core.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Verifying file: jboss-as/server/all/deploy/soapui-client.sar/lib/soap-xmlbeans-1.2.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Verifying file: jboss-as/server/default/deploy/soapui-client.sar/lib/soap-xmlbeans-1.2.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Verifying file: jboss-as/server/production/deploy/soapui-client.sar/lib/soap-xmlbeans-1.2.jar
[ERROR] java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

https://hudson.qa.jboss.com/hudson/view/SOA-Release/job/soa-signatures/56/bits_type=EMBEDDED,jdk=java16_default,label=RHEL_any/artifact/report.txt
Comment 4 Douglas Palmer 2011-10-21 08:39:49 UTC 
The signing changes didn't make it into Mead in time for ER5 but they are in now.
Comment 5 David Le Sage 2011-10-27 05:00:03 UTC 
Release Notes Docs Status: Added: Not Required
Writer: Added: dlesage
Comment 6 Martin Vecera 2011-11-03 08:15:20 UTC 
Verified with ER6
Note You need to log in before you can comment on or make changes to this bug.