试图运行 jar 文件时,Manifest 主属性异常的签名文件摘要无效

我尝试运行我的项目的 jar 文件。我正在使用 intelliJ 并使用工件来生成 jar 文件。但是每次我尝试运行我的 jar 文件,它给了我例外。

java.lang.SecurityException: Invalid signature file digest for Manifest main attributes
at sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:284)
at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:238)
at java.util.jar.JarVerifier.processEntry(JarVerifier.java:316)
at java.util.jar.JarVerifier.update(JarVerifier.java:228)
at java.util.jar.JarFile.initializeVerifier(JarFile.java:383)
at java.util.jar.JarFile.getInputStream(JarFile.java:450)
at sun.misc.JarIndex.getJarIndex(JarIndex.java:137)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:839)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:831)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:830)
at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:803)
at sun.misc.URLClassPath$3.run(URLClassPath.java:530)
at sun.misc.URLClassPath$3.run(URLClassPath.java:520)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:519)
at sun.misc.URLClassPath.getLoader(URLClassPath.java:492)
at sun.misc.URLClassPath.getNextLoader(URLClassPath.java:457)
at sun.misc.URLClassPath.getResource(URLClassPath.java:211)
at java.net.URLClassLoader$1.run(URLClassLoader.java:365)
at java.net.URLClassLoader$1.run(URLClassLoader.java:362)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:361)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:495)
Error: A JNI error has occurred, please check your installation and try again
Exception in thread "main"

这是我的清单文件:

Manifest-Version: 1.0
Main-Class: Main

该项目的外部库:

enter image description here

135096 次浏览
小开
最佳答案

Some of your dependency JARs is a signed JAR, so when you combine then all in one JAR and run that JAR then signature of the signed JAR doesn't match up and hence you get the security exception about signature mis-match.

To fix this you need to first identify which all dependency JARs are signed JARs and then exclude them. Depending upon whether you are using MAVEN or ANT, you have to take appropriate solution. Below are but you can read more here, here and here.

Maven:

<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>2.6</version>
<executions>
<execution>
<id>unpack-dependencies</id>
<phase>package</phase>
<goals>
<goal>unpack-dependencies</goal>
</goals>
<configuration>
<excludeScope>system</excludeScope>
<excludes>META-INF/*.SF,META-INF/*.DSA,META-INF/*.RSA</excludes>
<excludeGroupIds>junit,org.mockito,org.hamcrest</excludeGroupIds>
<outputDirectory>${project.build.directory}/classes</outputDirectory>
</configuration>
</execution>
</executions>
</plugin>

ANT:

<jar destfile="app.jar" basedir="${classes.dir}">
<zipfileset excludes="META-INF/**/*" src="${lib.dir}/bcprov-jdk16-145.jar"></zipfileset>
<manifest>
<attribute name="Main-Class" value="app.Main"/>
</manifest>
</jar>

Update based on OP's comment:

"sqljdbc4.jar" was the signed JAR in OP's external libraries. So, following above approach to systematically exclude the signature related files like .SF, .RSA or .DES or other algorithms files is the right way to move forward.

If these signature files are not excluded then security exception will occur because of signature mismatch.

How to know if a JAR is signed or not?: If a JAR contains files like files like .SF, .RSA or .DES or other algorithms files, then it is a signed JAR. Or run jarsigner -verify jarname.jar and see if it outputs "verified"

小开

Instead of deleting the META-INF file, I changed the method in the Artifact definition. I deleted the "Extracted" library from the Artifact and added it again as "Put into Output Root".

This way the library will be incorporated without any changes in the new jar file, which I assume is the objective of signing the library...

By the way, I am also using the sqljdbc.jar.

小开

In my case, I am working with an uber-jar via maven-shade-plugin and @ruhsuzbaykus answer here was the solution. The strategy seems very similar to what @hagrawal proposes but the exclusions are added as a filter configuration of maven-shade-plugin.

小开

For the same problem,I have done clean install and issue gone. So clean install is one option by which you can build with fresh downloaded jars.

小开

just filter the signature files from your uber jar

 <plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>3.2.4</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>shade</goal>
</goals>
<configuration>
<minimizeJar>true</minimizeJar>
<filters>
<filter>
<artifact>*:*</artifact>
<excludes>
<exclude>META-INF/*.SF</exclude>
<exclude>META-INF/*.DSA</exclude>
<exclude>META-INF/*.RSA</exclude>
</excludes>
</filter>
</filters>
</configuration>
</execution>
</executions>
</plugin>
小开

In the compiled jar need to delete the security signed files. To do this follow this command

zip -d jarfile.jar 'META-INF/.SF' 'META-INF/.RSA' 'META-INF/*SF'

小开

I've added below lines to my build.gradle.kts and it resolved the issue

tasks.withType<org.gradle.jvm.tasks.Jar>() {
exclude("META-INF/BC1024KE.RSA", "META-INF/BC1024KE.SF", "META-INF/BC1024KE.DSA")
exclude("META-INF/BC2048KE.RSA", "META-INF/BC2048KE.SF", "META-INF/BC2048KE.DSA")
}
小开

In my case, without use gradle or maven for build, I create Artifacts as Jar type enter image description here

After build Artifacts, I get a result is a jar file. I rename it to .rar (or .zip) and open it as archive file, then find META-INF folder and delete all find with .SF, .DSA, .RSA extension, rearchive it again and rename to .jar. DONE.

小开

Based on Venryx's comment, you can just open the jar file as an archive in 7-Zip and delete the .RSA, .SF, and .DSA files directly. You can rebuild your artifact which depended on the signed library afterwards and the error should go away.

小开

For anyone working with an Android gradle application, you can resolve this by excluding the files in build.gradle in the packagingOptions section.

Here is an example:

packagingOptions {
exclude 'META-INF/LICENSE'
exclude 'META-INF/LICENSE.txt'
exclude 'META-INF/MSFTSIG.SF'
exclude 'META_INF/ECLIPSE_.SF'
exclude("META-INF/*.kotlin_module")
}

Note: for some reason using regular expression (META-INF/*.SF) didn't work for me. So I have to give the complete name to work.

小开

I had the same problem when running the application. At build step maven shade plugin warned me about overlapped resources. I realized that I have redundant jar dependency. After removing it, the problem was resolved.

 [INFO] Skipping pom dependency com.sun.xml.ws:jaxws-ri:pom:2.3.2 in the shaded jar.
[WARNING] Discovered module-info.class. Shading will break its strong encapsulation.
...
...


[WARNING] maven-shade-plugin has detected that some class files are
[WARNING] present in two or more JARs. When this happens, only one
[WARNING] single version of the class is copied to the uber jar.

提交答案