bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard
verified publisher icon bcgit

Unsupported class file major version 69

Open tcurdt opened this issue 3 weeks ago • 4 comments

I seems like the latest release

update dependency org.bouncycastle:bcpg-jdk18on to v1.83

was built for an unexpected high class format:

major version 69 = java 25

What happened there?

tcurdt avatar Nov 29 '25 02:11 tcurdt

No. Something else is going, the bcpg jar on Maven Central is compiled mostly for Java 8, the module-info.class file is for Java 9.

dghgit avatar Nov 30 '25 08:11 dghgit

There clearly is a bigger difference in 1.82 and 1.83.

1.82:
[INFO] Minimizing jar org.vafer:jdeb:maven-plugin:1.15
[WARNING] Removing module-info from jdeb-1.15.jar
[INFO] Dependency-reduced POM written at: /Users/tcurdt/Projects/jdeb/dependency-reduced-pom.xml
[WARNING] bcpg-jdk18on-1.82.jar, bcprov-jdk18on-1.82.jar, bcutil-jdk18on-1.83.jar define 1 overlapping resource:
[WARNING]   - META-INF/versions/9/OSGI-INF/MANIFEST.MF
[WARNING] maven-shade-plugin has detected that some files are
[WARNING] present in two or more JARs. When this happens, only one
[WARNING] single version of the file is copied to the uber jar.
[WARNING] Usually this is not harmful and you can skip these warnings,
[WARNING] otherwise try to manually exclude artifacts based on
[WARNING] mvn dependency:tree -Ddetail=true and the above output.
[WARNING] See https://maven.apache.org/plugins/maven-shade-plugin/
[INFO] Minimized 8880 -> 3810 (42%)

1.83:
[INFO] Minimizing jar org.vafer:jdeb:maven-plugin:1.15
[WARNING] org.bouncycastle:bcprov-jdk18on:jar:1.83:compile could not be analyzed for minimization; dependency is probably malformed.
[WARNING] Removing module-info from jdeb-1.15.jar
[WARNING] org.bouncycastle:bcprov-jdk18on:jar:1.83:compile could not be analyzed for minimization; dependency is probably malformed.

I checked all class files with javap and most report 52 (java 8), not all are. I found classes in the following formats:

  Version 1.82:
  - 4,577 classes: Java 8 (major version 52)
  - 1,134 classes: Java 9 (major version 53)
  - 34 classes: Java 11 (major version 55)
  - 20 classes: Java 15 (major version 59)
  - 20 classes: Java 21 (major version 65)

  Version 1.83:
  - 4,584 classes: Java 8 (major version 52) - 7 more than 1.82
  - 1,137 classes: Java 9 (major version 53) - 3 more than 1.82
  - 34 classes: Java 11 (major version 55) - same
  - 29 classes: Java 25 (major version 69) - new
  - 20 classes: Java 15 (major version 59) - same
  - 20 classes: Java 21 (major version 65) - same

which explain the error I am seeing.

They are in the META-INF/versions/25/ directory though (which is a multi-release JAR feature). So my guess is that maven shade plugin has a problem with multi-releases.

tcurdt avatar Nov 30 '25 12:11 tcurdt

It's probably not the multi-release in itself - that was in 1.82. It'll be Java 25, it's only been official since October, the tool might still be catching up. If the shade plugin isn't verifying the jars, you could remove the signatures and remove what's under versions/25 for now. I'd guess they'd update it fairly soon though - Java 25 adds some significant "new stuff" at least from a cryptography perspective.

dghgit avatar Nov 30 '25 21:11 dghgit

Yes, maven-shade-plugin does not yet feature Java 24/25 support, it is scheduled for the upcoming 3.6.2 release. See

  • https://github.com/apache/maven-shade-plugin/issues/747
  • https://github.com/apache/maven-shade-plugin/pull/769

winfriedgerlach avatar Dec 02 '25 13:12 winfriedgerlach