invalid SHA1 signature file digest

问题

I have been trying to verify the Jar signing:

    jarsigner -verify -verbose -certs example.jar

I got the following problem:

jarsigner: java.lang.SecurityException: invalid SHA1 signature file digest for o
rg/apache/log4j/net/DefaultEvaluator.class

I got some suggestions about using -digestalg SHA-1 but I do not know where I should put this statement!

I hope you can help me to fix the problem.

回答1:

This error can also happen when the jar is signed twice.

The solution was to 'unsign' the jar by deleting *.SF, *.DSA, *.RSA files from the jar's META-INF and then signing the jar again.

回答2:

Here is the solution:

jarsigner -keystore mykeystore -digestalg SHA1 jarfile alias

To verify:

jarsigner -verify -verbose -certs jarfile

回答3:

This worked for me. I had to change my ANT to version 1.8.3 and add DIGESTALG attribute:

<!-- VLS2014 ADDED digestalg="SHA1" -->
<signjar keystore="${security.keystore}"
         storepass="${security.storepass}"
         keypass="${security.keypass}"
         alias="${security.alias}"
         jar="${basedir}/temp/tj/${justfname}"
         signedjar="${real.signed.jar}"
     digestalg="SHA1"
        />

<delete file="${basedir}/temp/tj/${justfname}" />
</target>

来源：https://stackoverflow.com/questions/8176166/invalid-sha1-signature-file-digest