I have been trying to verify the Jar signing:
jarsigner -verify -verbose -certs example.jar I got the following problem:
jarsigner: java.lang.SecurityException: invalid SHA1 signature file digest for o rg/apache/log4j/net/DefaultEvaluator.class I got some suggestions about using -digestalg SHA-1 but I do not know where I should put this statement!
I hope you can help me to fix the problem.
This error can also happen when the jar is signed twice.
The solution was to 'unsign' the jar by deleting *.SF, *.DSA, *.RSA files from the jar's META-INF and then signing the jar again.
Here is the solution:
jarsigner -keystore mykeystore -digestalg SHA1 jarfile alias To verify:
jarsigner -verify -verbose -certs jarfile This worked for me. I had to change my ANT to version 1.8.3 and add DIGESTALG attribute: