签名者信息不匹配

Question

I'm receving the following error on log file.

(java.lang.SecurityException: class "com.adventnet.snmp.snmp2.SecurityModelTable"'s signer information does not match signer information of other classes in the same package thrown

The thing is when I run below command, it says jar verified.

/usr/jdk/instances/jdk1.5.0/bin/jarsigner -verify -verbose Jarfile.jar

If the jar file is verified then how can this problem occur ?

Answer 1

check pom dependency tree for same packages of different versions .

I had this issue with itext-2.1.7 including old bouncycastle's bcpkix that was included in later version elsewhere.

Use this pattern :

<dependency>
  package X
  <exclusions>
    <exclusion>
      old package Y
    </exclusion>
  </exclusions>
</dependency>

<dependency>
  latest package Y
</dependency>

Update: To check the dependency tree details of package_Y you can use mvn dependency:tree -Dverbose -Dincludes=package_Y . For more info check maven documentation on resolving dependency tree problems. Also the Eclipse have quite nice dependency tree viewer.

Answer 2

It means that you have two or more classes in the same package with different signature data. Usually that means the classes come from different JARs, one of which is signed and the other is unsigned.

Answer 3

I encountered this exception while running a Scala/Spark project in Eclipse (Mars) on Windows and it prevented me from debugging and running the project in the IDE. The project used a Maven pom.xml file. It took a while to resolve, so I'm posting detailed steps here to help others:

1. Go to the folder where your project pom.xml file is
2. Run the command: mvn dependency:tree -Dverbose >Depends.Txt Make sure you don't have a Depends.Txt or it will be overwritten!
3. Search in the Depends.Txt file for the unsigned class that the Eclipse IDE is complaining about. In my case, it was javax.servlet.

4. You may find it in a section that looks like this:

   +- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.6.0:provided

   +- javax.servlet:servlet-api:jar:2.5:provided

5. The Maven group ID that you want to exclude the duplicate class from in the above is: hadoop-mapreduce-client-core

6. Add an exclusions section listing the groupid of the exclusion in the pom.xml after the offending package. In my case, this was the groupid javax.servlet.

7. Note that you can't resolve this issue by reordering the Java build path as some have posted for a similar problem.

Answer 4

java.lang.SecurityException: class “org.bouncycastle.asn1.ASN1ObjectIdentifier”'s signer information does not match signer information of other classes in the same package

Ans: I was also facing same exception when I was trying to make PDF password protected.

I added below jars to resolve the same.

◾itextpdf-5.2.1.jar ◾bcmail-jdk16-1.46.jar ◾bcprov-jdk16-1.46.jar ◾bctsp-jdk16-1.46.jar

Answer 5

In my program, I have loaded two version of the same packages. One is boprov-jdk15-140.jar , the other is bcprov-jdk15-151.jar . The two are conflicted.

In the JAR package's MANIFEST.MF file, it has the following digest:

Name: org/bouncycastle/crypto/digests/SM3Digest.class
SHA1-Digest: xxxxxxxx

The two JAR file has different SHA1-Digest info.

Answer 6

In my case I had:

Caused by: java.lang.SecurityException: class "org.bouncycastle.util.Strings"'s signer information does not match signer information of other classes in the same package

It was a project with a lot of dependencies and the mvn dependency:tree information did not really helped me.

Here is how I solved my issue:

• I did a search "Find in files" using notepad++ on all the M2_REPO
• I found a project which redefined "Strings" class in a package exactly identical to "org.bouncycastle.util.Strings" which should originate from the "org.bouncycastle:bcprov-jdk15on" dependency.
• Once found, I moved all of these problematic classes in a new package and updated this project version.
• Finally I updated the pom of the project which caused me trouble in the first place to use my dependency that uses the new package name.

Problem solved.

Answer 7

I encountered this issue in a Spring boot application. My issue was that I had Junit in the build path which has Org.hamcrest.Matchers.* and Hamcrest which was resident in library of Spring framework in my pom.xml in eclipse repository. So what I did was remove Junit from my build path. Included Junit only in my pom.xml. So my application depended on Maven for Junit and the *Matchers. So somehow you have two jars for one need. Maybe as a library and as configuration file.