java - Invalid signature file digest for Manifest main attributes exception while trying to run jar file

Question

I am trying to run the jar file of my project. I am working on intelliJ and have use artifacts to generate the jar file. But everytime i am trying to run my jar file its giving me exception.

java.lang.SecurityException: Invalid signature file digest for Manifest main attributes
    at sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:284)
    at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:238)
    at java.util.jar.JarVerifier.processEntry(JarVerifier.java:316)
    at java.util.jar.JarVerifier.update(JarVerifier.java:228)
    at java.util.jar.JarFile.initializeVerifier(JarFile.java:383)
    at java.util.jar.JarFile.getInputStream(JarFile.java:450)
    at sun.misc.JarIndex.getJarIndex(JarIndex.java:137)
    at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:839)
    at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath.java:831)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClassPath.java:830)
    at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:803)
    at sun.misc.URLClassPath$3.run(URLClassPath.java:530)
    at sun.misc.URLClassPath$3.run(URLClassPath.java:520)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.misc.URLClassPath.getLoader(URLClassPath.java:519)
    at sun.misc.URLClassPath.getLoader(URLClassPath.java:492)
    at sun.misc.URLClassPath.getNextLoader(URLClassPath.java:457)
    at sun.misc.URLClassPath.getResource(URLClassPath.java:211)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:365)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:362)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:361)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
    at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:495)
Error: A JNI error has occurred, please check your installation and try again
Exception in thread "main" 

And this is my manifest file:

Manifest-Version: 1.0
Main-Class: Main

Then the external libraries added to my project

What am i doing wrong??

update

Answer 1

Some of your dependency JARs is a signed JAR, so when you combine then all in one JAR and run that JAR then signature of the signed JAR doesn't match up and hence you get the security exception about signature mis-match.

To fix this you need to first identify which all dependency JARs are signed JARs and then exclude them. Depending upon whether you are using MAVEN or ANT, you have to take appropriate solution. Below are but you can read more here, here and here.

Maven:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-dependency-plugin</artifactId>
    <version>2.6</version>
    <executions>
        <execution>
            <id>unpack-dependencies</id>
            <phase>package</phase>
            <goals>
                <goal>unpack-dependencies</goal>
            </goals>
            <configuration>
                <excludeScope>system</excludeScope>
                <excludes>META-INF/*.SF</excludes>
                <excludes>META-INF/*.DSA</excludes>
                <excludes>META-INF/*.RSA</excludes>
                <excludeGroupIds>junit,org.mockito,org.hamcrest</excludeGroupIds>
                <outputDirectory>${project.build.directory}/classes</outputDirectory>
            </configuration>
        </execution>
    </executions>
</plugin>

ANT:

<jar destfile="app.jar" basedir="${classes.dir}">
    <zipfileset excludes="META-INF/**/*" src="${lib.dir}/bcprov-jdk16-145.jar"></zipfileset>
    <manifest>
        <attribute name="Main-Class" value="app.Main"/>
    </manifest>
</jar>

---

Update based on OP's comment:

"sqljdbc4.jar" was the signed JAR in OP's external libraries. So, following above approach to systematically exclude the signature related files like .SF, .RSA or .DES or other algorithms files is the right way to move forward.

If these signature files are not excluded then security exception will occur because of signature mismatch.

How to know if a JAR is signed or not?: If a JAR contains files like files like .SF, .RSA or .DES or other algorithms files, then it is a signed JAR. Or run jarsigner -verify jarname.jar and see if it outputs "verified"