Introduction
When working with Java applications, particularly when dealing with JAR files, you might encounter the error:
java.lang.SecurityException: Invalid signature file digest for Manifest main attributes
This error typically occurs when a signed JAR file has been modified, corrupted, or is incompatible with the Java runtime. In this post, we'll break down the issue, debug it, troubleshoot possible causes, and provide multiple solutions to fix it permanently.
Understanding the Problem Statement
Why Does This Error Happen?
- The JAR file was signed but later modified, breaking its digital signature.
- A dependency in your project (especially from a remote Maven repository) is corrupted or incorrectly signed.
- Java version incompatibility (different versions handle JAR signing differently).
- IntelliJ IDEA, Maven, or Gradle caching issues.
- Incorrectly packaged JAR due to build misconfiguration.
- JAR contains third-party libraries with outdated or conflicting signatures.
How to Debug and Identify the Issue
Before applying a fix, let’s find out the root cause.
1. Check the Java Version
Run the following command to ensure you're using a compatible Java version:
java -version
If you are using an older or a newer version than expected, try switching to a different version using SDKMAN! or manually setting the correct version.
sdk use java 11.0.16-amzn
2. Verify the Problematic JAR File
Identify the JAR causing the issue:
jar tvf yourfile.jar | grep META-INF
If the JAR is signed, you'll see .SF and .RSA files in the META-INF/ directory. If any changes were made to the JAR, the signature is no longer valid.
3. Check for Maven or Gradle Dependencies Issues
If you're using Maven, try running:
mvn dependency:tree
Check if any third-party dependencies could be causing the issue. If you see a suspicious dependency, try excluding or updating it.
For Gradle users:
gradle dependencies
Troubleshooting and Fixing the Issue
Method 1: Rebuild the JAR Without Signature
If you are building the JAR yourself, try re-packaging it without signing:
jarsigner -verify -verbose -certs yourfile.jar
If verification fails, repackage it without the signature:
zip -d yourfile.jar 'META-INF/*.SF' 'META-INF/*.RSA' 'META-INF/*.DSA'
Then, rebuild the project and check again.
Method 2: Clear the Local Maven Repository (Maven Issue)
Sometimes, Maven downloads a corrupted dependency. Try deleting and redownloading dependencies:
rm -rf ~/.m2/repository
mvn clean package
If the issue persists, manually delete the problematic JAR from ~/.m2/repository and download a fresh copy.
mvn dependency:purge-local-repository
mvn clean install
Method 3: Invalidate IntelliJ IDEA Cache
If you're working in IntelliJ IDEA, caching issues may cause this error. Try the following:
- Go to File > Invalidate Caches / Restart
- Select Invalidate and Restart
- Clean and rebuild your project
mvn clean package
If you use Gradle:
gradle clean build
Method 4: Ensure Java Version Compatibility
If your Java version is causing the issue, switch to a compatible version and rebuild the project.
For Maven, specify the Java version in pom.xml:
<properties>
<maven.compiler.source>11</maven.compiler.source>
<maven.compiler.target>11</maven.compiler.target>
</properties>
For Gradle, add this in build.gradle:
targetCompatibility = JavaVersion.VERSION_11
sourceCompatibility = JavaVersion.VERSION_11
Method 5: Redownload the JAR from a Trusted Source
If you suspect the JAR is corrupted, download it manually from a trusted source (e.g., Maven Central Repository, official vendor website) and replace the existing one.
wget https://repo.maven.apache.org/maven2/.../yourfile.jar
Permanent Solutions
1. Avoid Modifying Signed JARs
If your application depends on signed JARs, avoid modifying them after signing. Use a different packaging strategy to prevent accidental tampering.
2. Use jarsigner to Re-sign JARs
If you control the JAR, you can re-sign it with a valid key:
jarsigner -keystore mykeystore.jks -storepass changeit yourfile.jar myalias
3. Automate JAR Verification in CI/CD
To prevent invalid JARs from being used, integrate a verification step in your CI/CD pipeline:
jarsigner -verify -certs yourfile.jar
If the verification fails, reject the build to avoid issues in production.
Conclusion
This error is primarily caused by Java’s security checks on signed JAR files. Depending on the scenario, the best fix may be:
- Rebuilding the JAR without a signature (if applicable)
- Cleaning and redownloading dependencies
- Switching to a compatible Java version
- Invalidating IDE or Maven caches
- Ensuring that all JAR files come from trusted sources
By following these debugging and troubleshooting steps, you can resolve the issue and prevent it from occurring in the future.
Have You Encountered This Issue?
Let me know your experience in the comments below! If you found another fix, feel free to share it. 🚀
