shade plugin: avoiding "Invalid signature"

[stash]

As described in this blog post, if you try to include a jarsigner-signed dependency, you get a nasty "Invalid signature file digest for Manifest main attributes" stacktrace.

The blog above suggests adding the following snippet to the shade plugin <configuration> section.

          <filters>
            <filter>
              <artifact>*:*</artifact>
              <excludes>
                <exclude>META-INF/*.SF</exclude>
                <exclude>META-INF/*.DSA</exclude>
                <exclude>META-INF/*.RSA</exclude>
              </excludes>
            </filter>
          </filters>

I'm new to Maven and Shade, so I'm not sure what the security implications of doing this are, but I thought I should suggest it. Thanks for writing the guide; i found it very useful.

[gregturn]

Thanks @stash , but I think these adjustments to the maven-shade-plugin would go too far out of the way of the focus of this guide. This guide is meant to get the reader going on some basic maven stuff. We simply added the maven-shade-plugin as the means to make the code runnable without complex classpath steps on the command line. For anyone working on a production solution, they should certainly evaluate more complex settings when dealing with things like signed jars, etc.

[wenijinew]

Does that configuration work for you? I doesn't work for me. The generated jar file still contains signature files and when I try to run jarsigner -verify jarfileName it will print out the error message "java.lang.SecurityException: Invalid signature file digest for Manifest main attributes".

@stash how did you do in your environment?