Java 1.8.0_141_b15 java.lang.SecurityException

Hi updating the Java version 1.8.0_141 it shows this Error loading the Smart Client:

com.sun.deploy.net.JARSigningException: No se ha podido verificar la firma del recurso (Could not verify signature of resource): (https://etecsoft.com:8445/servoyServer/plugins/it2be-ftp/jakarta-oro.jar, 1500474092072)
	at com.sun.deploy.security.JarVerifier.authenticateJarEntry(Unknown Source)
	at com.sun.deploy.security.EnhancedJarVerifier.validate(Unknown Source)
	at com.sun.deploy.cache.CacheEntry.processJar(Unknown Source)
	at com.sun.deploy.cache.CacheEntry.access$2700(Unknown Source)
	at com.sun.deploy.cache.CacheEntry$7.run(Unknown Source)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)
	at com.sun.deploy.cache.CacheEntry.writeFileToDisk(Unknown Source)
	at com.sun.deploy.cache.Cache.downloadResourceToTempFile(Unknown Source)
	at com.sun.deploy.cache.Cache.downloadResourceToCache(Unknown Source)
	at com.sun.deploy.net.DownloadEngine.actionDownload(Unknown Source)
	at com.sun.deploy.net.DownloadEngine.downloadResource(Unknown Source)
	at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
	at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
	at com.sun.javaws.LaunchDownload$DownloadTask.call(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

All the plugins are signed the same keystored.
Using the last Code Signer version for java 8 >=101 v1.3.54.
It’s works with lower java version.
It`s not relevant but the server its working with Servoy version 8.1.4 -releaseNumber 3035 and java.version=1.8.0_121

i guess it is not for all jars but only for certain jars?
then we need to investigate those jars that are failing, what is so special about them

you should be able to use the bootstrapper for this also then you don’t need to sign (except the small bootstrap.jar)

Same issue here with the same jar, but not from it2be but drmaison:

plugins/drmaison-lib/jakarta-oro.jar

jcompagner:
i guess it is not for all jars but only for certain jars?

Yes, could be the plugins who has dependencies.

jcompagner:
you should be able to use the bootstrapper for this also then you don’t need to sign (except the small bootstrap.jar)

I have use it, but the problem is later when you open the solution, it fail when the solution use this failed plugins.

i can’t reproduce it,
i got a jar file of Patrick that was a problem (but that jar file really was not signed correctly anymore, to old)
and i resigned it in different ways (signing with java7 and java 8, with our internal signing script and also with the CodeSigner of servoyforge)
then i start it up with javawebstart of java8.141 and it didn’t complain about those files.

So maybe those files really need to be resigned? Does anybody has a jar file that should work, but fails now?

jcompagner:
So maybe those files really need to be resigned? Does anybody has a jar file that should work, but fails now?

File attached with the problem, signing with my keystore.

This time I have signing all the plugins using the last Code Signer version for java 8 >=101 v1.3.54, but in a computer with the new Java version.
After that I have installed it in my server:

• without bootstrapper fails in two plugins one I have attached (yakarta oro).
• with bootstrapper show the error in the Java console but it works, even the it2beFtp plugin, that gave me the previous error.

it2be-ftp.jar.zip (954 KB)

i see it going wrong if i just take that
but at the moment i sign with our certificate it works

Do you really sign all your jars?

But what i do notice that in side that jar in the /META-INF/manifest.mf file
there is an entry:

Name: org/apache/oro

make that:

Name: org.apache.oro

then with the code signer, first remove the signature, then run the normal signing again

Hi Johan,

thank you for your investigations!
It seems that changing that “Name: org/apache/oro” string and resigning the jar works for us with Java 8 Update 141!

Alex

There is def something going on with these release of java

Look here

https://stackoverflow.com/questions/451 … java-8u141