Login/Register
Signer information does not match
Asked Answered
Solved javajar
D

7

25

I'm receiving the following error on log file.

(java.lang.SecurityException: class "com.adventnet.snmp.snmp2.SecurityModelTable"'s signer information does not match signer information of other classes in the same package thrown

The thing is when I run the below command, it says the jar is verified.

/usr/jdk/instances/jdk1.5.0/bin/jarsigner -verify -verbose Jarfile.jar

If the jar file is verified then how can this problem occur?

Durfee answered 16/1, 2012 at 9:39 Comment(0)
P
24

It means that you have two or more classes in the same package with different signature data. Usually that means the classes come from different JARs, one of which is signed and the other is unsigned.

Prudhoe answered 16/1, 2012 at 9:42 Comment(12)
But how can this jar is verified then ? Shouldn t it fail the verification ?Durfee
@mibzer: No, that's a different kind of verification. Jarsigner only verifies that particular JAR. The Java runtime works with many JARs and checks whether they are compatible. If it allowed code from a different source in the same package as a signed JAR, it would weaken the security guarantees implied by the signature.Prudhoe
So you mean that, some other jar files my contain same class, doing some work but different signature data. And that cause a security issue and exception thrown right ?Durfee
There's quite possibly two versions of the jar being loaded. Possibly one is in a parent class loader of the other (say, one in a common library area and one in the application).Mantua
@mibzer: Basically yes. But as the exception says, it can be any class in the same pacakge, and it may be in a folder structure rather than a JAR. And that class may have no signature at all rather than a different one.Prudhoe
That is really interesting, thanks much. I guess I will grep and try to find which file or directory is containing related class.Durfee
@Michael Borgwardt, I still have problem, actually I grepped all file system and didnt found other classes. I will be appreciated if you have a solution.Durfee
@mibzer: Just an idea: you could run the application in debug mode and put a breakpoint in the constructor of java.lang.SecurityException, then look through the variables throughout the stack to find out where the colliding classes are defined.Prudhoe
@Michael, that would be really great but actually I dont have permission to run or debug code :( . Application is running on server system. And I am trying to resolve problem by editing configurations.Durfee
@mibzer: well, I'm out of ideas. Double-check if you've looked everywhere for classes in the com.adventnet.snmp.snmp2 package - I'm not sure that grepping for them will find them inside JARs.Prudhoe
@MichaelBorgwardt we have finally resolved the issue. There was an expired jar file which loaded to classpath. Actually this file was belong to earlier version of our software. But we dont how it stayed there. Thanks for you replies.Durfee
This thread helped me track down my instance of this problem: #11577579.Palladino
H
25

Check the pom dependency tree for same packages of different versions.

I had this issue with itext-2.1.7 including old bouncycastle's bcpkix that was included in a later version elsewhere.

Use this pattern:

<dependency>
  package X
  <exclusions>
    <exclusion>
      old package Y
    </exclusion>
  </exclusions>
</dependency>

<dependency>
  latest package Y
</dependency>

Update: To check the dependency tree details of package_Y you can use mvn dependency:tree -Dverbose -Dincludes=package_Y. For more info check maven documentation on resolving dependency tree problems. Also Eclipse has quite a nice dependency tree viewer.

Hyperthyroidism answered 22/3, 2013 at 10:27 Comment(0)
P
24

It means that you have two or more classes in the same package with different signature data. Usually that means the classes come from different JARs, one of which is signed and the other is unsigned.

Prudhoe answered 16/1, 2012 at 9:42 Comment(12)
But how can this jar is verified then ? Shouldn t it fail the verification ?Durfee
@mibzer: No, that's a different kind of verification. Jarsigner only verifies that particular JAR. The Java runtime works with many JARs and checks whether they are compatible. If it allowed code from a different source in the same package as a signed JAR, it would weaken the security guarantees implied by the signature.Prudhoe
So you mean that, some other jar files my contain same class, doing some work but different signature data. And that cause a security issue and exception thrown right ?Durfee
There's quite possibly two versions of the jar being loaded. Possibly one is in a parent class loader of the other (say, one in a common library area and one in the application).Mantua
@mibzer: Basically yes. But as the exception says, it can be any class in the same pacakge, and it may be in a folder structure rather than a JAR. And that class may have no signature at all rather than a different one.Prudhoe
That is really interesting, thanks much. I guess I will grep and try to find which file or directory is containing related class.Durfee
@Michael Borgwardt, I still have problem, actually I grepped all file system and didnt found other classes. I will be appreciated if you have a solution.Durfee
@mibzer: Just an idea: you could run the application in debug mode and put a breakpoint in the constructor of java.lang.SecurityException, then look through the variables throughout the stack to find out where the colliding classes are defined.Prudhoe
@Michael, that would be really great but actually I dont have permission to run or debug code :( . Application is running on server system. And I am trying to resolve problem by editing configurations.Durfee
@mibzer: well, I'm out of ideas. Double-check if you've looked everywhere for classes in the com.adventnet.snmp.snmp2 package - I'm not sure that grepping for them will find them inside JARs.Prudhoe
@MichaelBorgwardt we have finally resolved the issue. There was an expired jar file which loaded to classpath. Actually this file was belong to earlier version of our software. But we dont how it stayed there. Thanks for you replies.Durfee
This thread helped me track down my instance of this problem: #11577579.Palladino
M
3

I encountered this exception while running a Scala/Spark project in Eclipse (Mars) on Windows and it prevented me from debugging and running the project in the IDE. The project used a Maven pom.xml file. It took a while to resolve, so I'm posting detailed steps here to help others:

  1. Go to the folder where your project pom.xml file is
  2. Run the command: mvn dependency:tree -Dverbose >Depends.Txt Make sure you don't have a Depends.Txt or it will be overwritten!
  3. Search in the Depends.Txt file for the unsigned class that the Eclipse IDE is complaining about. In my case, it was javax.servlet.

  4. You may find it in a section that looks like this:

    +- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.6.0:provided

    +- javax.servlet:servlet-api:jar:2.5:provided

  5. The Maven group ID that you want to exclude the duplicate class from in the above is: hadoop-mapreduce-client-core

  6. Add an exclusions section listing the groupid of the exclusion in the pom.xml after the offending package. In my case, this was the groupid javax.servlet.

  7. Note that you can't resolve this issue by reordering the Java build path as some have posted for a similar problem.

Mercurous answered 20/11, 2015 at 22:18 Comment(0)
M
2

In my program, I have loaded two versions of the same package. One is boprov-jdk15-140.jar, the other is bcprov-jdk15-151.jar. The two are conflicted.

In the JAR package's MANIFEST.MF file, it has the following digest:

Name: org/bouncycastle/crypto/digests/SM3Digest.class
SHA1-Digest: xxxxxxxx

The two JAR files have different SHA1-Digest info.

Mcadoo answered 12/5, 2017 at 6:6 Comment(0)
N
1

I encountered this issue in a Spring boot application. My issue was that I had JUnit on the build path which has Org.hamcrest.Matchers.* and Hamcrest which was resident in the library of the Spring framework in my pom.xml for the Eclipse repository. What I did was remove JUnit from my build path and included it only in my pom.xml. My application depended on Maven for JUnit and the *Matchers, so somehow you have two jars for one need, maybe as a library and as a configuration file.

Nether answered 23/7, 2019 at 20:6 Comment(0)
B
0

In my case I had:

Caused by: java.lang.SecurityException: class "org.bouncycastle.util.Strings"'s signer information does not match signer information of other classes in the same package

It was a project with a lot of dependencies and the mvn dependency:tree information did not really helped me.

Here is how I solved my issue:

  • I did a search "Find in files" using notepad++ on all the M2_REPO
  • I found a project which redefined "Strings" class in a package exactly identical to "org.bouncycastle.util.Strings" which should originate from the "org.bouncycastle:bcprov-jdk15on" dependency.
  • Once found, I moved all of these problematic classes in a new package and updated this project version.
  • Finally I updated the pom of the project which caused me trouble in the first place to use my dependency that uses the new package name.

Problem solved.

Beal answered 4/12, 2017 at 20:41 Comment(0)
S
-1

I had the following error:

java.lang.SecurityException: class “org.bouncycastle.asn1.ASN1ObjectIdentifier”‘s signer information does not match signer information of other classes in the same package

I was facing this exception when I was trying to make a PDF password protected.

I added the below jars to resolve the problem.

◾itextpdf-5.2.1.jar ◾bcmail-jdk16-1.46.jar ◾bcprov-jdk16-1.46.jar ◾bctsp-jdk16-1.46.jar

Snell answered 14/12, 2016 at 9:25 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.