eclipse-jarsigner-plugin causing problems with shaded jar

Question

eclipse-jarsigner-plugin causing problems with shaded jar

hmottestad opened this issue 6 years ago · 6 comments

Hi,

I'm using RDF4J which uses your library deeper within. When I wrap everything in a shaded jar in the end I get a signature error.

I think it is because your jar is being signed with the eclipse jar signer plugin.

So far I know that bouncy castle signs their jars to make sure that the crypto content isn't modified.

Is there any such sensitive information in your jar files (eg. crypto implementations)?

Cheers,
Håvard

Answer 1 · 2018-12-23T19:45:23.000Z

There is no sensitive information in the jar. Perhaps the shading process disturbs the content such that there's a signature error? Does this error occur for a particular file?

Answer 2 · 2018-12-23T22:33:05.000Z

It occurs when executing the jar. Shading does break any signatures. It kinda unpacks and repacks the jars.

Answer 3 · 2018-12-25T09:09:42.000Z

Here is a repo I created to show the issues down the line: https://github.com/hmottestad/signature-problem

run.sh builds and runs everything (use java 8)

The Pom.xml file contains some comments for a workaround.

Answer 4 · 2018-12-25T09:13:42.000Z

Your JTS projected uses pgp signing instead. This signing doesn’t sign the jar as forcefully. Could you switch to that way of signing for this project too?

Answer 5 · 2018-12-25T09:21:22.000Z

And merry Christmas :)

Answer 6 · 2018-12-25T13:02:37.000Z

I§ve made a PR: #169