Explain Codes LogoExplain Codes Logo

"invalid signature file" when attempting to run a .jar

java
build-tools
maven
gradle
Alex KataevbyAlex Kataev·Nov 2, 2024
TLDR

To resolve the infamous "Invalid signature file" error, strip away the signature files within the META-INF directory in your .jar. Proceed with this universal command:

zip -d yourApp.jar 'META-INF/*.SF' 'META-INF/*.DSA' 'META-INF/*.RSA'

Replace yourApp.jar with your JAR's actual name, and breathe a sigh of relief while running your JAR without signing hurdles.

Conflict resolution based on Build tools

Maven: Configure maven-shade-plugin

Making use of the Maven project? Shield yourself from java.lang.SecurityException by configuring the maven-shade-plugin to filter out signature files. Here's the essential pom.xml snippet you need:

<configuration>
  <filters>
    <filter>
      <artifact>*:*</artifact>
      <!-- Exclude those sneaky signature files -->
      <excludes>
        <exclude>META-INF/*.SF</exclude>
        <exclude>META-INF/*.DSA</exclude>
        <exclude>META-INF/*.RSA</exclude>
      </excludes>
    </filter>
  </filters>
</configuration>

Gradle: Leverage zipTree and configurations.compile.collect

If you've drunken the Gradle cool-aid, use zipTree and configurations.compile.collect to keep signature files out of your compiled JAR. Here is the Gradle equivalent:

// Gradelize your jar without signature files
jar {
    from {
        configurations.compile.collect { it.isDirectory() ? it : zipTree(it) }
    } {
        exclude "META-INF/*.SF"
        exclude "META-INF/*.DSA"
        exclude "META-INF/*.RSA"
    }
}

Ant: Merge with <jar> and <zipgroupfileset>

Have an Ant-based project? Merging JAR files while excluding signature files is a piece of cake with the <jar> and <zipgroupfileset> tasks. Just drop in:

<jar destfile="yourApp.jar">
  <zipgroupfileset dir="lib" includes="*.jar" excludes="META-INF/*.SF, META-INF/*.DSA, META-INF/*.RSA" />
  <!-- Don't add extra calories with signature files -->
</jar>

Advanced strategies: Navigate the jar signing storm

Manifest dependencies: Leave Bouncy Castle alone

Reliance on Bouncy Castle or similar signed libraries? Remember: don't touch their cookies, just add them as manifest dependencies. This approach preserves their authenticity and keeps signature woes at bay.

Classload and JAR hiccups: Smoother management

Dealing with classload and JAR conflicts? Remember to focus on crucial service provider configurations and maintain your 'Main-Class' integrity. As for other metadata, keep it simple; Discard the fluffy stuff.

Two-step jar creation: Consistency is key

When creating your JAR files, consider a two-step creation process using Ant, including a <sleep> task between the steps. Just a quick power nap to ensure file modifications are synchronized and signature mismatches are avoided.

Signed JARs: Navigate with care

Need to merge several JAR files with different existing signatures and manifests? Look up mail archives for how developers have dealt with similar scenarios. Why reinvent the wheel?

explain-codes / Java / "invalid signature file" when attempting to run a .jar
Linked

Java SecurityException: signer information does not match

Can't execute jar- file: "no main manifest attribute"

Including dependencies in a jar with Maven

Maven is not working in Java 8 when Javadoc tags are incomplete

Intellij: Error:java: error: release version 5 not supported

Why am I getting Unknown error in line 1 of pom.xml?

Retrieve version from maven pom.xml in code

Conflict resolution based on Build toolsAdvanced strategies: Navigate the jar signing storm
Linked

Java SecurityException: signer information does not match

Can't execute jar- file: "no main manifest attribute"

Including dependencies in a jar with Maven

Maven is not working in Java 8 when Javadoc tags are incomplete

Intellij: Error:java: error: release version 5 not supported

Why am I getting Unknown error in line 1 of pom.xml?

Retrieve version from maven pom.xml in code