maven-shade-plugin
maven-shade-plugin copied to clipboard
apache
[MSHADE-147] Failure to shade without explanation when signature is invalid
Jesse N. Glick opened MSHADE-147 and commented
If there is a signature error in a shaded dependency, you can get a build error like this:
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-shade-plugin:2.0:shade (shade) on project stuff: Error creating shaded jar: Invalid signature file digest for Manifest main attributes
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:217)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:84)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:59)
at org.apache.maven.lifecycle.internal.LifecycleStarter.singleThreadedBuild(LifecycleStarter.java:183)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:161)
at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:320)
at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:156)
at org.jvnet.hudson.maven3.launcher.Maven3Launcher.main(Maven3Launcher.java:79)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchStandard(Launcher.java:329)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:239)
at org.jvnet.hudson.maven3.agent.Maven3Main.launch(Maven3Main.java:158)
at hudson.maven.Maven3Builder.call(Maven3Builder.java:100)
at hudson.maven.Maven3Builder.call(Maven3Builder.java:66)
at hudson.remoting.UserRequest.perform(UserRequest.java:118)
at hudson.remoting.UserRequest.perform(UserRequest.java:48)
at hudson.remoting.Request$2.run(Request.java:326)
at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:722)
Caused by: org.apache.maven.plugin.MojoExecutionException: Error creating shaded jar: Invalid signature file digest for Manifest main attributes
at org.apache.maven.plugins.shade.mojo.ShadeMojo.execute(ShadeMojo.java:551)
at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:101)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:209)
... 27 more
Caused by: java.lang.SecurityException: Invalid signature file digest for Manifest main attributes
at sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:240)
at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:193)
at java.util.jar.JarVerifier.processEntry(JarVerifier.java:305)
at java.util.jar.JarVerifier.update(JarVerifier.java:216)
at java.util.jar.JarFile.initializeVerifier(JarFile.java:345)
at java.util.jar.JarFile.getInputStream(JarFile.java:412)
at org.apache.maven.plugins.shade.DefaultShader.shade(DefaultShader.java:134)
at org.apache.maven.plugins.shade.mojo.ShadeMojo.execute(ShadeMojo.java:484)
... 29 more
Apparently DefaultShader is using the JarFile constructor that enables signature verification. That may be correct, but if so it should catch SecurityException and report the problem more nicely, say with the name of the bad dependency, and perhaps with instructions on how to configure the plugin to ignore this dependency or override the signature check.
Attaching my test project, though I cannot consistently reproduce the problem with this. (Seems to file from inside Jenkins but not outside; not yet sure what the difference would be.)
MSHADE-90 is a bit related.
Affects: 2.0
Attachments:
Issue Links:
- MSHADE-90 Warn or error for signature files
Remote Links:
2 votes, 7 watchers
Neeme Praks commented
Attached a patch to:
- print a nice error message when there is an error while reading JAR file contents (includes JAR entry path and JAR file path)
- add a "disableJarFileVerification" configuration option for DefaultShader -- when enabled, dependency JAR file verification is turned off
The base version for the patch is 2.3.
Bruce Wen commented
Any workaround for this? I tried to use filter in configuration, but not workable.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-shade-plugin</artifactId>
<version>3.0.0</version>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>shade</goal>
</goals>
<configuration>
<filters>
<filter>
<artifact>*:*</artifact>
<excludes>
<exclude>META-INF/*.SF</exclude>
<exclude>META-INF/*.DSA</exclude>
<exclude>META-INF/*.RSA</exclude>
</excludes>
</filter>
</filters>
</configuration>
</execution>
</executions>
</plugin>
Zsombor Gegesy commented
I've rebased your patch and submitted on github, as I've encountered the same problem, and with it, I could solve it. Hopefully, someone with commit rights can merge it!
Guillaume Nodet commented
A reproducer would be welcomed. I've tried the provided project but it seems to works for me. Zsombor Gegesy do you have one ?