SBT Assembly Plugin on signed jar files

437 views Asked by At

We had a scala application which was being built by command sbt dist this uses the native packager to create a zip file and dumps all the jar files imported by SBT into the zip file.

This worked for us but after some some we realized that some jar files have same class files (but different versions) and we get run time errors regarding missing methods etc.

So we used sbt assembly and defined a merge strategy to build a fat jar which has the right class files.

However now after building the fat jar I am getting JCE errors

Caused by: java.lang.SecurityException: JCE cannot authenticate the provider BC
    at javax.crypto.Cipher.getInstance(Cipher.java:657)
    at javax.crypto.Cipher.getInstance(Cipher.java:596)
    at org.bouncycastle.jcajce.util.NamedJcaJceHelper.createCipher(Unknown Source)
    at org.bouncycastle.openpgp.operator.jcajce.OperatorHelper.createCipher(Unknown Source)
    at org.bouncycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder$1.recoverKeyData(Unknown Source)
    ... 24 more
Caused by: java.util.jar.JarException: file:/fat.jar has unsigned entries - -base__DDLMigration.sql
    at javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:464)
    at javax.crypto.JarVerifier.verifyJars(JarVerifier.java:322)
    at javax.crypto.JarVerifier.verify(JarVerifier.java:250)
    at javax.crypto.JceSecurity.verifyProviderJar(JceSecurity.java:160)
    at javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:186)
    at javax.crypto.Cipher.getInstance(Cipher.java:653)

So it seems that the jar files were signed and when we just dumped the individual jar files into a zip file everything worked. Now when we move individual classes into a fat jar then the signing is lost.

So for every class which was inside of a signed jar file and now was moved to a fat jar we get errors because the fat jar lost the signing information of the original jar.

1

There are 1 answers

0
Daniel Darabos On

You can remove the DSA and SF entries from META-INF/MANIFEST.MF to make the jar unsigned. Or remove the whole META-INF/MANIFEST.MF.