security exceptions after jar repacking

[Magnus Warker]

Hi,

I want to deploy my application as a single jar file. Therefore, I unpacked
all jars that are used as libraries together with my classes and created a
new jar that contains my classes and all contents from the other jars.

When the application is then started (java -jar myapp.jar), I get a security
exception telling me that there are wrong entries in the manifest file for
some classes.

Has someone done this before? I just want my app to reside in a single jar
file.

Regards,
Magnus

 

[Tom Hawtin]

I want to deploy my application as a single jar file. Therefore, I unpacked
all jars that are used as libraries together with my classes and created a
new jar that contains my classes and all contents from the other jars.

When the application is then started (java -jar myapp.jar), I get a security
exception telling me that there are wrong entries in the manifest file for
some classes.

What is the exact message you are getting? And what's in the relevant
section of the manifest?

Are one or more of the jars signed? All the files in jar should be
signed together (there is an option to allow partial signing, but I
would strongly discourage its use).

Tom Hawtin

 

[Magnus Warker]

Dear Tom,

thank you for your reply.

I have copied the exact error message below:

--- Error Message Begin ---
Exception in thread "main" java.lang.SecurityException: no manifiest section
for
 signature file entry javax/mail/internet/AsciiOutputStream.class
        at sun.security.util.SignatureFileVerifier.verifySection(Unknown
Source)

        at sun.security.util.SignatureFileVerifier.processImpl(Unknown
Source)
        at sun.security.util.SignatureFileVerifier.process(Unknown Source)
        at java.util.jar.JarVerifier.processEntry(Unknown Source)
        at java.util.jar.JarVerifier.update(Unknown Source)
        at java.util.jar.JarFile.initializeVerifier(Unknown Source)
        at java.util.jar.JarFile.getInputStream(Unknown Source)
        at sun.misc.URLClassPath$JarLoader$1.getInputStream(Unknown Source)
        at sun.misc.Resource.cachedInputStream(Unknown Source)
        at sun.misc.Resource.getByteBuffer(Unknown Source)
        at java.net.URLClassLoader.defineClass(Unknown Source)
        at java.net.URLClassLoader.access$100(Unknown Source)
        at java.net.URLClassLoader$1.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
        at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
        at java.lang.ClassLoader.loadClass(Unknown Source)
        at java.lang.ClassLoader.loadClassInternal(Unknown Source)
--- Error Message End ---



The application uses the following jar libraries for mail processing:

        activation.jar
        commons-email-1.0.jar
        mail.jar

I have tried to create the new jar with an empty manifiest file, or to merge
the manifiest files from the jar libraries, but nothing worked.

If it was possible, I would prefer to do it without signatures. I just want
to deploy one single jar file.


The repacking is done with an ant script. This script umpacks all jars in a
temporary folder and repacks it together with the application class files
using the following command:

        <jar jarfile="${basedir}/ship/myApp.jar"
                filesetmanifest="merge">
                
                <fileset dir="${basedir}/cls">
                </fileset>
                        
                <fileset dir="${basedir}/tmp">
                </fileset>
                        
                <manifest>
                        <attribute name="Main-Class"
value="myApp.Application" />
                </manifest>
        </jar>


Any hints are welcome!

Regards
Magnus

 

[Tom Hawtin]

Exception in thread "main" java.lang.SecurityException: no manifiest section
for
signature file entry javax/mail/internet/AsciiOutputStream.class
at sun.security.util.SignatureFileVerifier.verifySection(Unknown
Source)

at sun.security.util.SignatureFileVerifier.processImpl(Unknown
Source)
at sun.security.util.SignatureFileVerifier.process(Unknown Source)
at java.util.jar.JarVerifier.processEntry(Unknown Source)
at java.util.jar.JarVerifier.update(Unknown Source)

Looks like you still have files in META-INF from the original jars that
deal with signing. In particular, remove files with the .SF extension,
as well as any other junk. (There are a number of files to do with
signing: there are signatures in the manifest, then that is signed by
another file and another file signs that file...)

Tom Hawtin

 

[Lars Enderin]

Magnus Warker skrev:

Dear Tom,

thank you for your reply.

I have copied the exact error message below:

--- Error Message Begin ---
Exception in thread "main" java.lang.SecurityException: no manifiest section

Strange spelling of "manifest". Did you really copy the message exactly?

 

[Tom Hawtin]

Magnus Warker skrev:

Strange spelling of "manifest". Did you really copy the message exactly?

He'd have to have been really bored to copy out the entire exception
stack trace...

/home/tackline/sun/src-6-u1-03/j2se/src/share/classes/sun/security/util/SignatureFileVerifier.java:
"no manifiest section for signature file entry "+name);

Perhaps it was written by a Spaniard. If it worries you that much, you
could log a bug in the Bug Parade.

Tom Hawtin

 

[Lars Enderin]

Tom Hawtin skrev:

He'd have to have been really bored to copy out the entire exception
stack trace...

/home/tackline/sun/src-6-u1-03/j2se/src/share/classes/sun/security/util/SignatureFileVerifier.java:
"no manifiest section for signature file entry "+name);

Perhaps it was written by a Spaniard. If it worries you that much, you
could log a bug in the Bug Parade.

I'm not worried. I was aware of the possibility that the spelling error
was in the software, but I asked anyway to make sure.

 

[Esmond Pitt]

I want to deploy my application as a single jar file. Therefore, I unpacked
all jars that are used as libraries together with my classes and created a
new jar that contains my classes and all contents from the other jars.

If any of the library JARS are signed and check themselves, or are
checked by something else, or have META-INF/ entries other than
manifests, you basically cannot do this at all.

 

[Magnus Warker]

Dear Tom,

I once made a try and deleted nearly everything in the META-INF folder,
which was collected when extracting all the jar libraries.

I think this resulted in another error message. I'll check this later and
then also post this result.

The problem came up when I added JavaMail to my application, which needs the
jar files I listed. I believe that this does something with signatures.

Thank you,
Magnus

 

[Magnus Warker]

Dear Esmond,

does this mean that I have to deploy my application together with the jar
libraries as a bunch of files?

Can't I switch off signature checking somehow?

Thank you,
Magnus

 

[KnightFire]

Dear Esmond,

does this mean that I have to deploy my application together with the jar
libraries as a bunch of files?

Can't I switch off signature checking somehow?

You have to deploy any libraries that your application references in
separate jar files (the ones they came in). Extracting them and adding
them to your own jar file will cause all sorts of legal/licensing
issues (unless all the libraries, plus your application are issued
under similar licenses, and all the licenses are packaged in the jar
file and identify which individual class files they cover).

You should distribute your application in a zip or other archive, that
when extracted creates your application jar file, plus those of any
libraries you reference (and their licenses). Then use the Class-Path
element in the manifest file of your application jar to tell it to
load classes from the other jar files.

See http://java.sun.com/docs/books/tutorial/deployment/jar/downman.html
KF

 

[Chris Smith]

I want to deploy my application as a single jar file. Therefore, I unpacked
all jars that are used as libraries together with my classes and created a
new jar that contains my classes and all contents from the other jars.

When the application is then started (java -jar myapp.jar), I get a security
exception telling me that there are wrong entries in the manifest file for
some classes.

Okay, so you need to preserve some manifest entries for files in the
JAR. That isn't a really easy thing to do by hand.

Are you sure you need to do this? Note that in addition to the
technical problems you're running into, this is often in violation of
your agreements with library authors.

 

[Magnus Warker]

Dear Chris & KnightFire,

thank you for these notes. As a workaround I did it the way you told it, and
I think I have to leave it that way, although it would have been more nice
if everything were in one file.

Thank you,
Magnus

 

[Andrew Thompson]

Magnus Warker wrote:
..

...although it would have been more nice
if everything were in one file.

Nice for who? If you want to make it nice for the
end user, look to web start. 'One click'* install.

* Prompted for more choices and options, depending
on the launch file.

 

[Magnus Warker]

Dear Andrew,

but in this case I have to provide a web server, right?

Regards,
Magnus

 

[Andrew Thompson]

Magnus Warker wrote:
..

Please refrain from top-posting, I find it very confusing.

..
but in this case I have to provide a web server, right?

No. JWS is primarily aimed at web servers, but
applications can also be installed from a disk.

(Besides, with the number of places offering free
web space, it is not too difficult to get a server.)