4 Replies Latest reply: Feb 28, 2012 4:01 PM by bouye RSS

    Could not verify signing in resource (JAR + Pack200)

    bouye
      It seems I always ended up getting JWS error I never have had before these days...

      Ok, long story short:
      - this is about a JavaFX 1.3.1 app with packed JARs
      - changed computer, switched from JDK 1.6.0_22 that I used for several month for signing and pack files to JDK 1.6.0_29 and JDK 1.7.0_02. This issue did not happen with JDK 1.6.0_22.
      - it's currently deployed to an internal web server for testing purposes, files and URL are correct and can be reached from my workstation.
      - every single JNLP file validates OK with JaNeLA.
      - the certificate used to sign the libs is valid.
      - the offending JAR file report as being Ok and signed when checked with jarsigner.

      The error from Java Web Start is:
      >
      Unable to launch the application.
      Error: Could not verify signing in resource: http://devlin01.noumea.spc.local/~fabriceb/Web/TUMAS/lib/OFP-fx.jar.pack.gz
      >

      The exception is:
      com.sun.deploy.net.JARSigningException: Could not verify signing in resource: http://devlin01.noumea.spc.local/~fabriceb/Web/TUMAS/lib/OFP-fx.jar.pack.gz
           at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)
           at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)
           at com.sun.deploy.cache.CacheEntry.processJar(Unknown Source)
           at com.sun.deploy.cache.CacheEntry.access$2200(Unknown Source)
           at com.sun.deploy.cache.CacheEntry$9.run(Unknown Source)
           at java.security.AccessController.doPrivileged(Native Method)
           at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)
           at com.sun.deploy.cache.Cache.downloadResourceToTempFile(Unknown Source)
           at com.sun.deploy.cache.Cache.downloadResourceToCache(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getResource(Unknown Source)
           at com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source)
           at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
           at java.util.concurrent.FutureTask.run(Unknown Source)
           at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
           at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
           at java.lang.Thread.run(Unknown Source)
      The wrapped exception is:
      java.lang.SecurityException: SHA1 digest error for org/spc/ofp/javafx/scene/control/dialog/TitleLabel$TitleLabel$Script.class
           at sun.security.util.ManifestEntryVerifier.verify(Unknown Source)
           at java.util.jar.JarVerifier.processEntry(Unknown Source)
           at java.util.jar.JarVerifier.update(Unknown Source)
           at java.util.jar.JarVerifier$VerifierStream.read(Unknown Source)
           at com.sun.deploy.security.JarVerifier.readAndMaybeSaveStreamTo(Unknown Source)
           at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)
           at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)
           at com.sun.deploy.cache.CacheEntry.processJar(Unknown Source)
           at com.sun.deploy.cache.CacheEntry.access$2200(Unknown Source)
           at com.sun.deploy.cache.CacheEntry$9.run(Unknown Source)
           at java.security.AccessController.doPrivileged(Native Method)
           at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)
           at com.sun.deploy.cache.Cache.downloadResourceToTempFile(Unknown Source)
           at com.sun.deploy.cache.Cache.downloadResourceToCache(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getResourceCacheEntry(Unknown Source)
           at com.sun.deploy.net.DownloadEngine.getResource(Unknown Source)
           at com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source)
           at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
           at java.util.concurrent.FutureTask.run(Unknown Source)
           at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
           at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
           at java.lang.Thread.run(Unknown Source)
      The main JNLP is:
      <jnlp spec="1.0+" codebase="http://devlin01.noumea.spc.local/~fabriceb/Web/TUMAS/" href="TUMAS-fx.jnlp">
        <information>
          <title>TUMAS development standalone version</title>
          <vendor>CPS-SPC Secretariat of the Pacific Community</vendor>
          <homepage href="http://www.tumas-project.org/"/>
          <description>Management Option Visualisation Tool</description>
          <description kind="short">Management Option Visualisation Tool</description>
          <description kind="one-line">Management Option Visualisation Tool</description>
          <description kind="tooltip">Management Option Visualisation Tool</description>
          <icon kind="default" href="MOViT.gif" width="128" height="128" size="10948"/>
          <icon kind="shortcut" href="MOViT.gif" width="128" height="128" size="10948"/>
          <icon kind="splash" href="MOViT.gif" width="128" height="128" size="10948"/>
          <offline-allowed/>
          <shortcut online="false">
            <desktop/>
            <menu submenu="TUMAS"/>
          </shortcut>
        </information>
        <security>
          <all-permissions/>
        </security>
        <update check="always"/>
        <resources>
          <java max-heap-size="800m" version="1.6+"/>
          <jar href="TUMAS-fx.jar" main="true" size="154269"/>
          <extension name="MOViT" href="MOViT.jnlp"/>
          <extension name="l2fprod-7.3" href="l2fprod-7.3.jnlp"/>
          <extension name="JFXtras-0.7" href="JFXtras-0.7.jnlp"/>
          <extension name="gnujpdf-1.7" href="gnujpdf-1.7.jnlp"/>
          <extension name="Apache-POI-3.6" href="Apache-POI-3.6.jnlp"/>
          <extension name="SwingX-1.6.1" href="SwingX-1.6.1.jnlp"/>
          <extension name="OpenMap-5.0" href="OpenMap-5.0.jnlp"/>
          <extension name="JavaFX 1.3.x Runtime" href="http://dl.javafx.com/1.3/javafx-rt.jnlp"/>
          <property name="jnlp.packEnabled" value="true"/>
        </resources>
        <application-desc main-class="com.sun.javafx.runtime.main.Main">
          <argument>MainJavaFXScript=org.spc.ofp.project.tumas.TUMAS</argument>
          <argument>--development</argument>
        </application-desc>
      </jnlp>
      The JNLP which contains the offending lib is:
      <?xml version="1.0" encoding="UTF-8"?>
      <jnlp spec="1.0+" codebase="http://devlin01.noumea.spc.local/~fabriceb/Web/TUMAS/" href="MOViT.jnlp">
          <information>
              <title>MOViT</title>
              <vendor>CPS-SPC Secretariat of the Pacific Community</vendor>
              <homepage href="http://www.tumas-project.org/"/>
              <description>Management Option Visualisation Tool</description>
              <offline-allowed/>
          </information>
          <security>
             <all-permissions/>
          </security>
          <resources>
             <jar href="lib/OFP-core.jar" part="MOViT" size="384817"/>
             <jar href="lib/OFP-GIS.jar" part="MOViT" size="10608"/>
             <jar href="lib/OFP-fx.jar" part="MOViT" size="2325354"/>
             <jar href="lib/OFP-fx-mappane.jar" part="MOViT" size="3277991"/>
             <jar href="lib/MFCL-IO.jar" part="MOViT" size="82454"/>
             <jar href="lib/MOViT-templates.jar" part="MOViT" size="5142641"/>
             <jar href="lib/MOViT-ztm.jar" part="MOViT" size="59484"/>
             <jar href="lib/MOViT-ztp.jar" part="MOViT" size="56450"/>
             <jar href="lib/MOViT-zte.jar" part="MOViT" size="41706"/>
             <jar href="lib/MOViT-fishery.jar" part="MOViT" size="66291"/>
             <jar href="lib/MOViT-fx.jar" part="MOViT" size="3282871"/>
             <jar href="lib/SPINiT-fx.jar" part="MOViT" size="332428"/>
             <property name="jnlp.packEnabled" value="true"/>
          </resources>
          <component-desc/>
      </jnlp>
      The following command lines are used when packing + signing the file (extra private bits have been removed) :
      ► Normalizing file: "<path to file>OFP-fx.jar"
      Executing: "C:\Program Files (x86)\Java\jdk1.6.0_29/bin/pack200" --repack --effort=9 --segment-limit=-1 --modification-time=latest --strip-debug "<path to file>OFP-fx.jar"
      process exited with error code: 0
      ► Signing file: "<path to file>OFP-fx.jar"
      Executing: "C:\Program Files (x86)\Java\jdk1.6.0_29/bin/jarsigner" -verify "<path to file>OFP-fx.jar"
      process exited with error code: 0
      Executing: "C:\Program Files (x86)\Java\jdk1.6.0_29/bin/jarsigner" -tsa <timestamp server> -J-Dhttp.proxyHost=<our proxy host> -J-Dhttp.proxyPort=<our proxy port> -keystore <our store> -storepass <our password> "<path to file>OFP-fx.jar" <our alias>
      process exited with error code: 0
      ► Packing file: "<path to file>OFP-fx.jar"
      Executing: "C:\Program Files (x86)\Java\jdk1.6.0_29/bin/pack200" "<path to file>OFP-fx.jar.pack.gz" "<path to file>OFP-fx.jar"
      process exited with error code: 0
      Any idea, besides reinstalling an older JDK and/or runtime?
        • 1. Re: Could not verify signing in resource (JAR + Pack200)
          817614
          1. you might want to try clear the cache by using Java Control Panel UI: Temporary Internet Files > Settings > Delete Files
          2. if that does not help, try the latest 7u4 early access build from http://jdk7.java.net/download.html
          There was some JRE bugs related to pack200 that just get fixed recently.
          • 2. Re: Could not verify signing in resource (JAR + Pack200)
            bouye
            Finally had a chance to test jdk 1.7.0_04 beta and it looks like packing and signing the JARs with this version does indeed correct this issue. So this was not related to the JRE version on the clients computer.
            Thanks for the suggestion and let's hop they put some process to prevent similar issues from hapening again in the future.
            • 3. Re: Could not verify signing in resource (JAR + Pack200)
              gimbal2
              bouye wrote:
              Thanks for the suggestion and let's hop they put some process to prevent similar issues from hapening again in the future.
              False hope. Programming is hard, release management is hard, testing is hard, people make mistakes, budget restrictions cause mistakes to slip through, etc. etc.

              The most important factor in all this really is us and more specifically our willingness to properly report problems.
              • 4. Re: Could not verify signing in resource (JAR + Pack200)
                bouye
                Actually this seems more a "insufficient testing vs. deadline issue" as they seem to in a hurry to release (broken) "security upgrades".
                Furthermore, while I do report issues, errors and problems, I am not Oracle's free beta tester pet.

                That being fixed, other JWS heratic behaviors remain though.

                Edited by: bouye on Feb 29, 2012 8:00 AM