<div dir="ltr"><div><div><div><div><div><div><div>Hello,<br><br></div>after upgrading Java Web Start to 8u141 an application fails to start with a JAR verification error:<br><br>com.sun.deploy.net.JARSigningException: Signatur konnte nicht verifiziert werden in Ressource: <a href="http://localhost:10000/seeburger/app/commons-httpclient.jar">http://localhost:10000/seeburger/app/commons-httpclient.jar</a><br>    at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)<br>    at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)<br>    at com.sun.deploy.cache.CacheEntry.processJar(Unknown Source)<br>    at com.sun.deploy.cache.CacheEntry.access$2700(Unknown Source)<br>    at com.sun.deploy.cache.CacheEntry$7.run(Unknown Source)<br>    at java.security.AccessController.doPrivileged(Native Method)<br>    at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)<br>    at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)<br>    at com.sun.deploy.cache.Cache.downloadResourceToTempFile(Unknown Source)<br>    at com.sun.deploy.cache.Cache.downloadResourceToCache(Unknown Source)<br>    at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)<br>    at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)<br>    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)<br>    at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)<br>    at com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source)<br>    at java.util.concurrent.FutureTask.run(FutureTask.java:266)<br>    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)<br>    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)<br>    at java.lang.Thread.run(Thread.java:748)<br><br>java.lang.SecurityException: digest missing for org/apache/commons/httpclient<br>    at sun.security.util.ManifestEntryVerifier.verify(ManifestEntryVerifier.java:202)<br>    at java.util.jar.JarVerifier.processEntry(JarVerifier.java:243)<br>    at java.util.jar.JarVerifier.update(JarVerifier.java:211)<br>    at java.util.jar.JarVerifier$VerifierStream.<init>(JarVerifier.java:457)<br>    at java.util.jar.JarFile.getInputStream(JarFile.java:464)<br>    at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)<br>    at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)<br><br><br></div>If I use jarsigner -verify (from 8u141) on that file it does not show a problem. The file also worked with 8u131.<br><br></div>We signed that file ourself and I am not sure when the broken entry is generated, it looks like:<br><br>Manifest-Version: 1.0<br>Ant-Version: Apache Ant 1.6.5<br>Built-By: oleg<br>Maven-Version: 1.1<br>Created-By: 1.5.0_11-b03 (Sun Microsystems Inc.)<br><br>Name: org/apache/commons/httpclient/Header.class<br>SHA-256-Digest: 5HHGzly6O0szGtB9rGU+bY2PXW54N9EmRkoz9g5QFEQ=<br>...<br>Name: org/apache/commons/httpclient/methods/multipart/PartSource.class<br>SHA-256-Digest: mk7TML731ZpUoSypwlvr2qtT67lwUgxl7FwSZ+/6B6s=<br><br>Name: org/apache/commons/httpclient<br>Implementation-Title: org.apache.commons.httpclient<br>Implementation-Version: 3.1<br>X-Compile-Target-JDK: 1.2<br>Specification-Vendor: Apache Software Foundation<br>Specification-Title: Jakarta Commons HttpClient<br>Implementation-Vendor-Id: org.apache<br>Extension-name: org.apache.commons.httpclient<br>X-Compile-Source-JDK: 1.2<br>Specification-Version: 3.1<br>Implementation-Vendor: Apache Software Foundation<br><br>Name: org/apache/commons/httpclient/methods/multipart/FilePart.class<br>SHA-256-Digest: uCUbczb7+sVYzJ+pxl+I6Qk3SBS6xeztmAOJvuUzmsM=<br>...<br><br></div>This structure is created by JAR signer becaue the original apache artifact manifest looks like this:<br><br>Manifest-Version: 1.0<br>Ant-Version: Apache Ant 1.6.5<br>Created-By: 1.5.0_11-b03 (Sun Microsystems Inc.)<br>Built-By: oleg<br>Maven-Version: 1.1<br><br>Name: org/apache/commons/httpclient<br>Extension-name: org.apache.commons.httpclient<br>Specification-Title: Jakarta Commons HttpClient<br>Specification-Vendor: Apache Software Foundation<br>Specification-Version: 3.1<br>Implementation-Title: org.apache.commons.httpclient<br>Implementation-Vendor: Apache Software Foundation<br>Implementation-Version: 3.1<br>Implementation-Vendor-Id: org.apache<br>X-Compile-Source-JDK: 1.2<br>X-Compile-Target-JDK: 1.2<br><br></div>I think different jarsigner versions behave differently, some remove that section.<br><br></div><div>jarsigner -verify should be as strict as JWS. JWS should probalbly ignroe sections like that like before.<br></div><div><br></div>Gruss<br></div>Bernd<br><div><div><div><div><br><br><div><br><br></div></div></div></div></div></div>