You most likely happened to re-sign an existing signed jar that just expired recently and got this error message saying invalid SHA1 signature.

There is only 1 cause for this and you happen to re-sign the jar using JDK 1.7 while the expired jar was signed using 1.6. The encryption for both JDKs are different because 1.6 uses SHA1 while 1.7 uses SHA-256.

When you re-sign the expired jar using 1.7, check the manifest file and you will see that there will be 2 entries labeled SHA1 and SHA-256.

The only workaround that can be done for this is to re-create a clean jar file and sign it using 1.7. However, in my case wherein there were too many jar files I decided to install 1.6 and use its jarsigner executable to re-sign it thereby keeping its signature intact as SHA1.

You can then verify your jar file with the command

jarsigner -verify -verbose -certs

just to be sure that the signing was successful. Do not worry if you see the message “This jar contains entries whose signer certificate has expired.” because this is normal as it simply means you overwrote an expired certificate with a new one.

Related Posts Plugin for WordPress, Blogger...