How can I tell which signed jar is causing maven-shade-plugin to fail?

Question

To run maven-shade-plugin, I have to use to method described here due to signed dependencies, as shown here:

    maven-shade         


        

Answer 1

The shade plugin is unpacking all of the jars for the dependencies you have included and stuffing their contents into a single jar file. Sort of as if you had written all of it yourself.

The configuration is telling the shade plugin not to move any files which end in .SF, .DSA or .RSA if they are included in a directory called META-INF.

So all you need to do is figure out which jar has those files.

First thing I would do is comment out the filter section and re-build. Then grep your shaded jar for those extensions. It might give you a clue to the package.

The -t option on the jar command will list all of the files in the archive without extracting them. In general jar syntax is pretty similar to tar.

jar -tvf target/myapp-1.0.3-SNAPSHOT.jar | grep -i dsa

META-INF/BCKEY.DSA

In my case it was pretty obvious. I had recently added Bouncy Castle as a dependency. BCKEY.DSA seems like it might be the Bouncy Castle Key.

To confirm I just performed the same action on the bouncy castle jar. Since I built this with maven the jar is in my local repository:

tar -tvf .m2/repository/org/bouncycastle/bcprov-jdk15on/1.48/bcprov-jdk15on-1.48.jar | grep -i dsa
-rwxrwxrwx  0 0      0           0 Feb  9  2013 META-INF/BCKEY.DSA