Technical Guide to Resolving JAR Signature Exceptions

Dec 03, 2025 · Programming · 14 views · 7.8

Keywords: Java | JAR | Signature | Exception | Maven | ANT

Abstract: This article provides an in-depth analysis of the 'Invalid signature file digest for Manifest main attributes' exception in Java JAR files. It covers the root causes involving signed dependency JARs and offers practical solutions using Maven, ANT, and manual methods to exclude signature files, ensuring smooth execution of uber-jars.

Introduction

In Java development, running a JAR file that includes dependencies can sometimes lead to security exceptions, such as the "Invalid signature file digest for Manifest main attributes" error. This article explores the causes and solutions for this issue, with a focus on practical configurations for build tools like Maven and ANT.

Problem Description

The error typically occurs when trying to execute a JAR file that has been created by bundling multiple dependencies into a single archive. The stack trace points to security verification failures during JAR file loading, indicating a mismatch in digital signatures.

Root Cause Analysis

The primary cause is the inclusion of signed JARs as dependencies. When these are merged into an uber-jar, the signature files (e.g., .SF, .DSA, .RSA in the META-INF directory) become invalid because they are tied to the original JAR structure. The Java security manager detects this discrepancy and throws a SecurityException.

Solutions

Using Maven

For Maven projects, the maven-dependency-plugin can be configured to unpack dependencies and exclude signature files. Here's an example configuration:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <version>2.6</version>
    <executions>
        <execution>
            <id>unpack-dependencies</id>
            <phase>package</phase>
            <goals>
                <goal>unpack-dependencies</goal>
            </goals>
            <configuration>
                <excludeScope>system</excludeScope>
                <excludes>META-INF/*.SF,META-INF/*.DSA,META-INF/*.RSA</excludes>
                <excludeGroupIds>junit,org.mockito,org.hamcrest</excludeGroupIds>
                <outputDirectory>${project.build.directory}/classes</outputDirectory>
            </configuration>
        </execution>
    </executions>
</plugin>

This setup ensures that during the packaging phase, the signature files are omitted from the final JAR.

Using ANT

In ANT builds, the jar task can be configured to exclude signature files from dependency JARs. Example:

<jar destfile="app.jar" basedir="${classes.dir}">
    <zipfileset excludes="META-INF/**/*" src="${lib.dir}/bcprov-jdk16-145.jar"></zipfileset>
    <manifest>
        <attribute name="Main-Class" value="app.Main"/>
    </manifest>
</jar>

This approach directly filters out the META-INF directory from specified JARs.

Using Maven Shade Plugin

An alternative for Maven is the maven-shade-plugin, which can create uber-jars with filters. Configuration example:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-shade-plugin</artifactId>
    <version>3.2.4</version>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>shade</goal>
            </goals>
            <configuration>
                <minimizeJar>true</minimizeJar>
                <filters>
                    <filter>
                        <artifact>*:*</artifact>
                        <excludes>
                            <exclude>META-INF/*.SF</exclude>
                            <exclude>META-INF/*.DSA</exclude>
                            <exclude>META-INF/*.RSA</exclude>
                        </excludes>
                    </filter>
                </filters>
            </configuration>
        </execution>
    </executions>
</plugin>

This plugin automatically excludes signature files during the shading process.

Manual Method

For quick fixes, signature files can be manually removed using command-line tools. For example, on Unix-like systems:

zip -d jarfile.jar 'META-INF/.SF' 'META-INF/.RSA' 'META-INF/*SF'

This command deletes the specified files from the JAR, but it's a one-time solution and may not be suitable for automated builds.

How to Identify Signed JARs

To determine if a JAR is signed, inspect its contents for files in the META-INF directory with extensions like .SF, .DSA, .RSA, or other algorithm-specific files. Alternatively, use the jarsigner tool:

jarsigner -verify jarname.jar

If the output indicates "verified", the JAR is signed. In the context of the original problem, the "sqljdbc4.jar" was identified as a signed dependency.

Conclusion

Resolving the "Invalid signature file digest" exception involves excluding signature files from signed dependency JARs when creating uber-jars. By using appropriate build tool configurations or manual methods, developers can ensure that their applications run without security interruptions. This approach maintains the integrity of the build process while adhering to Java security standards.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.