Search This Blog

Thursday, June 28, 2012

maven shade plugin: Invalid signature file digest for Manifest main attributes

If you get the following error message with maven shade plugin:

Exception in thread "main" java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

You need to add the following to pom.xml:

        <configuration>
          <filters>
            <filter>
              <artifact>*:*</artifact>
              <excludes>
                <exclude>META-INF/*.SF</exclude>
                <exclude>META-INF/*.DSA</exclude>
                <exclude>META-INF/*.RSA</exclude>
              </excludes>
            </filter>
          </filters>
        </configuration>

Explanation:

The above configuration filters all files in META-INF ending with .SF, .DSA, and .RSA for all artifacts (*:*) when creating uber-jar file.

The reason java.lang.SecurityException is raised is because some dependency jar files are signed jar files.  A jar file is signed by using jarsigner, which creates 2 additional files and places them in META-INF:
  • a signature file, with a .SF extension, and
  • a signature block file, with a .DSA, .RSA, or .EC extension.
Since the uber-jar file is created, the signatures and integrity of signed JAR files are no longer valid.  When the uber-jar file is executed, java.lang.SecurityException is thrown.

See jarsigner for detailed explanation of JAR Signing and Verification Tool.

17 comments:

  1. Hi
    Thanks so much for this pointer.
    However could you say why this needs to be added? It would be very helpful in understanding what exactly is going on in the background when this filter is added.
    Thanks
    KK

    ReplyDelete
  2. Really thanks for your tip. We are changing some builds from fat-jar to maven-shade and got some builds stopped working. Really thanks.

    ReplyDelete
  3. Thanks! you save me a lot of time.

    ReplyDelete
  4. Very useful and educative
    Thank you

    ReplyDelete
  5. Hi. I'm trying to use this configuration on my project and isn't working. I've pasted this code in every configuration element on my pom.xml file. Can you help me?

    Thanks in advance.

    Here the content of my pom.xml file:

    http://pastebin.com/XTtBJ8DN

    ReplyDelete
  6. Thanks! This should be under the configuration phase in the maven-shade-plugin build section.

    ReplyDelete
  7. I realise this is an old post... But thought I would ask if you had any other ideas?
    In that I have the code you mention here in my POM file and still get the security error when running my application.
    (Well not my application - but an example application for a Spark tutorial)

    And unhelpfully I am not a Java developer or a user of Maven, either.
    I am learning Scala and use SBT for builds.

    I don't know if it makes any difference at all - but I am using JDK8 and a Mac to build my app.

    ReplyDelete
  8. I am running standardalone program getting below error. Please advise. Thanks

    java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

    Nothing is there in MANIFEST file

    ReplyDelete
  9. Hey there, I am not sure if it will help you, specifically : But for me I got rid of the security error by ensuring that "Store Temporary Files" was unchecked.

    ReplyDelete
  10. Thanks for this blog post. When running in a controlled environment, this is a valid workaround.

    ReplyDelete