4 Replies Latest reply on Feb 28, 2012 10:01 PM by bouye-JavaNet

    Could not verify signing in resource (JAR + Pack200)

    bouye-JavaNet
      It seems I always ended up getting JWS error I never have had before these days...

      Ok, long story short:
      - this is about a JavaFX 1.3.1 app with packed JARs
      - changed computer, switched from JDK 1.6.0_22 that I used for several month for signing and pack files to JDK 1.6.0_29 and JDK 1.7.0_02. This issue did not happen with JDK 1.6.0_22.
      - it's currently deployed to an internal web server for testing purposes, files and URL are correct and can be reached from my workstation.
      - every single JNLP file validates OK with JaNeLA.
      - the certificate used to sign the libs is valid.
      - the offending JAR file report as being Ok and signed when checked with jarsigner.

      The error from Java Web Start is:
      >
      Unable to launch the application.
      Error: Could not verify signing in resource: http://devlin01.noumea.spc.local/~fabriceb/Web/TUMAS/lib/OFP-fx.jar.pack.gz
      >

      The exception is:
      com.sun.deploy.net.JARSigningException: Could not verify signing in resource: http://devlin01.noumea.spc.local/~fabriceb/Web/TUMAS/lib/OFP-fx.jar.pack.gz
           at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)
           at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)
           at com.sun.deploy.cache.CacheEntry.processJar(Unknown Source)
           at com.sun.deploy.cache.CacheEntry.access$2200(Unknown Source)
           at com.sun.deploy.cache.CacheEntry$9.run(Unknown Source)
           at java.security.AccessController.doPrivileged(Native Method)
           at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)
           at com.sun.deploy.cache.Cache.downloadResourceToTempFile(Unknown Source)
           at com.sun.deploy.cache.Cache.downloadResourceToCache(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getResource(Unknown Source)
           at com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source)
           at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
           at java.util.concurrent.FutureTask.run(Unknown Source)
           at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
           at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
           at java.lang.Thread.run(Unknown Source)
      The wrapped exception is:
      java.lang.SecurityException: SHA1 digest error for org/spc/ofp/javafx/scene/control/dialog/TitleLabel$TitleLabel$Script.class
           at sun.security.util.ManifestEntryVerifier.verify(Unknown Source)
           at java.util.jar.JarVerifier.processEntry(Unknown Source)
           at java.util.jar.JarVerifier.update(Unknown Source)
           at java.util.jar.JarVerifier$VerifierStream.read(Unknown Source)
           at com.sun.deploy.security.JarVerifier.readAndMaybeSaveStreamTo(Unknown Source)
           at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)
           at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)
           at com.sun.deploy.cache.CacheEntry.processJar(Unknown Source)
           at com.sun.deploy.cache.CacheEntry.access$2200(Unknown Source)
           at com.sun.deploy.cache.CacheEntry$9.run(Unknown Source)
           at java.security.AccessController.doPrivileged(Native Method)
           at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)
           at com.sun.deploy.cache.Cache.downloadResourceToTempFile(Unknown Source)
           at com.sun.deploy.cache.Cache.downloadResourceToCache(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getResource(Unknown Source)
           at com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source)
           at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
           at java.util.concurrent.FutureTask.run(Unknown Source)
           at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
           at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
           at java.lang.Thread.run(Unknown Source)
      The main JNLP is:
      <jnlp spec="1.0+" codebase="http://devlin01.noumea.spc.local/~fabriceb/Web/TUMAS/" href="TUMAS-fx.jnlp">
        <information>
          <title>TUMAS development standalone version</title>
          <vendor>CPS-SPC Secretariat of the Pacific Community</vendor>
          <homepage href="http://www.tumas-project.org/"/>
          <description>Management Option Visualisation Tool</description>
          <description kind="short">Management Option Visualisation Tool</description>
          <description kind="one-line">Management Option Visualisation Tool</description>
          <description kind="tooltip">Management Option Visualisation Tool</description>
          <icon kind="default" href="MOViT.gif" width="128" height="128" size="10948"/>
          <icon kind="shortcut" href="MOViT.gif" width="128" height="128" size="10948"/>
          <icon kind="splash" href="MOViT.gif" width="128" height="128" size="10948"/>
          <offline-allowed/>
          <shortcut online="false">
            <desktop/>
            <menu submenu="TUMAS"/>
          </shortcut>
        </information>
        <security>
          <all-permissions/>
        </security>
        <update check="always"/>
        <resources>
          <java max-heap-size="800m" version="1.6+"/>
          <jar href="TUMAS-fx.jar" main="true" size="154269"/>
          <extension name="MOViT" href="MOViT.jnlp"/>
          <extension name="l2fprod-7.3" href="l2fprod-7.3.jnlp"/>
          <extension name="JFXtras-0.7" href="JFXtras-0.7.jnlp"/>
          <extension name="gnujpdf-1.7" href="gnujpdf-1.7.jnlp"/>
          <extension name="Apache-POI-3.6" href="Apache-POI-3.6.jnlp"/>
          <extension name="SwingX-1.6.1" href="SwingX-1.6.1.jnlp"/>
          <extension name="OpenMap-5.0" href="OpenMap-5.0.jnlp"/>
          <extension name="JavaFX 1.3.x Runtime" href="http://dl.javafx.com/1.3/javafx-rt.jnlp"/>
          <property name="jnlp.packEnabled" value="true"/>
        </resources>
        <application-desc main-class="com.sun.javafx.runtime.main.Main">
          <argument>MainJavaFXScript=org.spc.ofp.project.tumas.TUMAS</argument>
          <argument>--development</argument>
        </application-desc>
      </jnlp>
      The JNLP which contains the offending lib is:
      <?xml version="1.0" encoding="UTF-8"?>
      <jnlp spec="1.0+" codebase="http://devlin01.noumea.spc.local/~fabriceb/Web/TUMAS/" href="MOViT.jnlp">
          <information>
              <title>MOViT</title>
              <vendor>CPS-SPC Secretariat of the Pacific Community</vendor>
              <homepage href="http://www.tumas-project.org/"/>
              <description>Management Option Visualisation Tool</description>
              <offline-allowed/>
          </information>
          <security>
             <all-permissions/>
          </security>
          <resources>
             <jar href="lib/OFP-core.jar" part="MOViT" size="384817"/>
             <jar href="lib/OFP-GIS.jar" part="MOViT" size="10608"/>
             <jar href="lib/OFP-fx.jar" part="MOViT" size="2325354"/>
             <jar href="lib/OFP-fx-mappane.jar" part="MOViT" size="3277991"/>
             <jar href="lib/MFCL-IO.jar" part="MOViT" size="82454"/>
             <jar href="lib/MOViT-templates.jar" part="MOViT" size="5142641"/>
             <jar href="lib/MOViT-ztm.jar" part="MOViT" size="59484"/>
             <jar href="lib/MOViT-ztp.jar" part="MOViT" size="56450"/>
             <jar href="lib/MOViT-zte.jar" part="MOViT" size="41706"/>
             <jar href="lib/MOViT-fishery.jar" part="MOViT" size="66291"/>
             <jar href="lib/MOViT-fx.jar" part="MOViT" size="3282871"/>
             <jar href="lib/SPINiT-fx.jar" part="MOViT" size="332428"/>
             <property name="jnlp.packEnabled" value="true"/>
          </resources>
          <component-desc/>
      </jnlp>
      The following command lines are used when packing + signing the file (extra private bits have been removed) :
      ► Normalizing file: "<path to file>OFP-fx.jar"
      Executing: "C:\Program Files (x86)\Java\jdk1.6.0_29/bin/pack200" --repack --effort=9 --segment-limit=-1 --modification-time=latest --strip-debug "<path to file>OFP-fx.jar"
      process exited with error code: 0
      ► Signing file: "<path to file>OFP-fx.jar"
      Executing: "C:\Program Files (x86)\Java\jdk1.6.0_29/bin/jarsigner" -verify "<path to file>OFP-fx.jar"
      process exited with error code: 0
      Executing: "C:\Program Files (x86)\Java\jdk1.6.0_29/bin/jarsigner" -tsa <timestamp server> -J-Dhttp.proxyHost=<our proxy host> -J-Dhttp.proxyPort=<our proxy port> -keystore <our store> -storepass <our password> "<path to file>OFP-fx.jar" <our alias>
      process exited with error code: 0
      ► Packing file: "<path to file>OFP-fx.jar"
      Executing: "C:\Program Files (x86)\Java\jdk1.6.0_29/bin/pack200" "<path to file>OFP-fx.jar.pack.gz" "<path to file>OFP-fx.jar"
      process exited with error code: 0
      Any idea, besides reinstalling an older JDK and/or runtime?