Invalid signature file digest for Manifest main attributes exception while trying to run jar file

Question

I am trying to run the jar file of my project. I am working on intelliJ and have use artifacts to generate the jar file. But everytime i am trying to run my jar file its giving me exception.

java.lang.SecurityException: Invalid signature file digest for Manifest main attributes
    at sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:284)
    at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:238)
    at java.util.jar.JarVerifier.processEntry(JarVerifier.java:316)
    at java.util.jar.JarVerifier.update(JarVerifier.java:228)
    at java.util.jar.JarFile.initializeVerifier(JarFile.java:383)
    at java.util.jar.JarFile.getInputStream(JarFile.java:450)
    at sun.misc.JarIndex.getJarIndex(JarIndex.java:137)
    at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:839)
    at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:831)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:830)
    at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:803)
    at sun.misc.URLClassPath$3.run(URLClassPath.java:530)
    at sun.misc.URLClassPath$3.run(URLClassPath.java:520)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.misc.URLClassPath.getLoader(URLClassPath.java:519)
    at sun.misc.URLClassPath.getLoader(URLClassPath.java:492)
    at sun.misc.URLClassPath.getNextLoader(URLClassPath.java:457)
    at sun.misc.URLClassPath.getResource(URLClassPath.java:211)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:365)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:362)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:361)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
    at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:495)
Error: A JNI error has occurred, please check your installation and try again
Exception in thread "main" 

And this is my manifest file:

Manifest-Version: 1.0
Main-Class: Main

The project's external libraries:

Answer 1

I had the same error, For those using javafx and getting the error while trying to make a distributable jar file using the shade plugin, just add these filters under in the shade plugin.

                           <filters>
                                <filter>
                                    <artifact>*:*</artifact>
                                    <excludes>
                                        <exclude>META-INF/*.SF</exclude>
                                        <exclude>META-INF/*.DSA</exclude>
                                        <exclude>META-INF/*.RSA</exclude>
                                    </excludes>
                                </filter>
                            </filters>

Answer 2

Some of your dependency JARs is a signed JAR, so when you combine then all in one JAR and run that JAR then signature of the signed JAR doesn't match up and hence you get the security exception about signature mis-match.

To fix this you need to first identify which all dependency JARs are signed JARs and then exclude them. Depending upon whether you are using MAVEN or ANT, you have to take appropriate solution. Below are but you can read more here, here and here.

Maven:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <version>2.6</version>
    <executions>
        <execution>
            <id>unpack-dependencies</id>
            <phase>package</phase>
            <goals>
                <goal>unpack-dependencies</goal>
            </goals>
            <configuration>
                <excludeScope>system</excludeScope>
                <excludes>META-INF/*.SF,META-INF/*.DSA,META-INF/*.RSA</excludes>
                <excludeGroupIds>junit,org.mockito,org.hamcrest</excludeGroupIds>
                <outputDirectory>${project.build.directory}/classes</outputDirectory>
            </configuration>
        </execution>
    </executions>
</plugin>

ANT:

<jar destfile="app.jar" basedir="${classes.dir}">
    <zipfileset excludes="META-INF/**/*" src="${lib.dir}/bcprov-jdk16-145.jar"></zipfileset>
    <manifest>
        <attribute name="Main-Class" value="app.Main"/>
    </manifest>
</jar>

---

Update based on OP's comment:

"sqljdbc4.jar" was the signed JAR in OP's external libraries. So, following above approach to systematically exclude the signature related files like .SF, .RSA or .DES or other algorithms files is the right way to move forward.

If these signature files are not excluded then security exception will occur because of signature mismatch.

How to know if a JAR is signed or not?: If a JAR contains files like files like .SF, .RSA or .DES or other algorithms files, then it is a signed JAR. Or run jarsigner -verify jarname.jar and see if it outputs "verified"

Answer 3

I had the same problem when running the application. At build step maven shade plugin warned me about overlapped resources. I realized that I have redundant jar dependency. After removing it, the problem was resolved.

 [INFO] Skipping pom dependency com.sun.xml.ws:jaxws-ri:pom:2.3.2 in the shaded jar.
 [WARNING] Discovered module-info.class. Shading will break its strong encapsulation.
 ...
 ...

 [WARNING] maven-shade-plugin has detected that some class files are
 [WARNING] present in two or more JARs. When this happens, only one
 [WARNING] single version of the class is copied to the uber jar.

Answer 4

For anyone working with an Android gradle application, you can resolve this by excluding the files in build.gradle in the packagingOptions section.

Here is an example:

packagingOptions {
  exclude 'META-INF/LICENSE'
  exclude 'META-INF/LICENSE.txt'
  exclude 'META-INF/MSFTSIG.SF'
  exclude 'META_INF/ECLIPSE_.SF'
  exclude("META-INF/*.kotlin_module")
}

Note: for some reason using regular expression (META-INF/*.SF) didn't work for me. So I have to give the complete name to work.

Answer 5

Based on Venryx's comment, you can just open the jar file as an archive in 7-Zip and delete the .RSA, .SF, and .DSA files directly. You can rebuild your artifact which depended on the signed library afterwards and the error should go away.

Answer 6

In my case, without use gradle or maven for build, I create Artifacts as Jar type

After build Artifacts, I get a result is a jar file. I rename it to .rar (or .zip) and open it as archive file, then find META-INF folder and delete all find with .SF, .DSA, .RSA extension, rearchive it again and rename to .jar. DONE.

Answer 7

I've added below lines to my build.gradle.kts and it resolved the issue

tasks.withType<org.gradle.jvm.tasks.Jar>() {
    exclude("META-INF/BC1024KE.RSA", "META-INF/BC1024KE.SF", "META-INF/BC1024KE.DSA")
    exclude("META-INF/BC2048KE.RSA", "META-INF/BC2048KE.SF", "META-INF/BC2048KE.DSA")
}

Answer 8

In the compiled jar need to delete the security signed files. To do this follow this command

zip -d jarfile.jar 'META-INF/.SF' 'META-INF/.RSA' 'META-INF/*SF'

Answer 9

just filter the signature files from your uber jar

 <plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-shade-plugin</artifactId>
    <version>3.2.4</version>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>shade</goal>
            </goals>
            <configuration>
                <minimizeJar>true</minimizeJar>
                <filters>
                    <filter>
                        <artifact>*:*</artifact>
                        <excludes>
                            <exclude>META-INF/*.SF</exclude>
                            <exclude>META-INF/*.DSA</exclude>
                            <exclude>META-INF/*.RSA</exclude>
                        </excludes>
                    </filter>
                </filters>
            </configuration>
        </execution>
    </executions>
</plugin>

Answer 10

For the same problem,I have done clean install and issue gone. So clean install is one option by which you can build with fresh downloaded jars.

Answer 11

In my case, I am working with an uber-jar via maven-shade-plugin and @ruhsuzbaykus answer here was the solution. The strategy seems very similar to what @hagrawal proposes but the exclusions are added as a filter configuration of maven-shade-plugin.

Answer 12

Instead of deleting the META-INF file, I changed the method in the Artifact definition. I deleted the "Extracted" library from the Artifact and added it again as "Put into Output Root".

This way the library will be incorporated without any changes in the new jar file, which I assume is the objective of signing the library...

By the way, I am also using the sqljdbc.jar.