2010/06/26

Invalid signature file digest for Manifest main attributes

Because of some obvious reasons, security is a must when it comes to computers nowadays. I am not much into security but I had to deal with it anyway. Last couple of days I worked with signed JAR files, when my Java compiler suddenly said: "Invalid signature file digest for Manifest main attributes".

It was because some JAR files were not signed correctly since I needed to remove signatures and my automated tool for signatures removal was broken. Fine, but which files are in a bad condition? I was not able to make my compiler tell me. My class path was like 10kB of text and the day was almost over...

Signatures and certificates in a JAR file are in the META-INF directory. These are files with .SF, .DSA, and .RSA extensions. All one need to do to "unsign" a JAR file is to delete those files. Note that, some information are in MANIFEST.MF as well but it is not necessary to remove them until you want to sign the JAR file again.

It is pretty straight forward so what can be wrong? It was my bad, I assumed that all JAR files in my application use the same certificate file. I did not delete all .RSA files but just something like PRODUCT.RSA.

But it took me a while to realize what is wrong. And here is a command that can help you to recognize a broken JAR file:

find -name *.jar -exec echo {} \; -exec jarsigner -verify {} \;

It is definitely a pity that Java compiler (Sun JDK 1.6) does not print out the problematic file name.

. .