Eclipse Mqtt paho throws java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

Question

I am using mqtt as a client to get messagaes from the mqtt broker. Previously I had 0.2.1 which had a issue in clientId generation (greater than 23 characters would fail)

I saw the fix is done in later versions, so I upgraded to 1.0.1. I downloaded the 1.0.1 jar from the below repository

eclipse repo [/content/repositories/paho-releases/org/eclipse/paho/org.eclipse.paho.client.mqttv3/1.0.1/]

I get: Invalid signature file digest for Manifest main attribute

I googled and found solutions to fix the issue. I removed the META-INF and zipped the jar again. It solved my problem for the time being. But this should not be done as I understand.

I had found other fixes which didn't help, such as putting the below configuration in my pom.

<pre>
    <exclude>META-INF/*.SF</exclude>
    <exclude>META-INF/*.DSA</exclude>
    <exclude>META-INF/*.RSA</exclude>
</pre>

Later I ran jarsigner -verify org.eclipse.paho.client.mqttv3-1.0.1.jar

I got the following:

jar verified.

Warning: 
This jar contains entries whose signer certificate will expire within six months.

The signer certificate expiring in 6 months.

I am not sure if I should be downloading the same jar or not.

It's unclear exactly what your question is. Perhaps this is something you should report to the package maintainer? — Nate Barbettini, Jan 28 '15 at 12:26
I did put this question on eclipse forum also. But as they didn't reply yet, hence was wondering if someone might have already faced this issue. My question is am I downloading a wrong jar or in a wrong way that I am facing these issues (1) If I do not remove the META_INF from zip : I get Invalid signature file digest for Manifest main attribute, 2) the jar's certificate expiring in 6 months ) — nandini, Jan 28 '15 at 16:27
Gotcha, that makes sense. I'm not an Eclipse guy so I'm clueless on this one -- my hunch is that you're not doing anything wrong on your end, but hopefully someone more familiar with Eclipse can provide more help. — Nate Barbettini, Jan 28 '15 at 16:47
Thanks Nate. I have raised a bug on eclipse paho for the same issue. — nandini, Jan 28 '15 at 17:05

nandini · Answer 1 · 2015-02-04T02:26:21.677

Eclipse packages as and puts osgi bundles in their maven repo.
This is how I made it work:

download mqtt jar & pom from eclipse repo https://repo.eclipse.org/content/repositories/paho-releases/org/eclipse/paho/org.eclipse.paho.client.mqttv3/
download all its dependencies
unjar the jar
From META-INF/MANIFEST.MF remove all lines apart from first 3
```
Manifest-Version: 1.0 Bundle-Localization: bundle
Bundle-RequiredExecutionEnvironment: J2SE-1.4 
```
- Remove the certificates in META-INF folder
- now jar all the unjared files to the same jar name
- Upload in your maven repo

score 0 · Answer 2 · answered May 05 '22 at 01:45

I know I am late, but I was able to fix the problem by renaming the .class file which contained all of the MQTT stuff. I had originally named it MQTTListener. The moment I renamed it MQTTCommunicationModule (I know the new name is not great, it was only to verify my suspicion) the error went away.

My guess is I had given the class the same name as a class in the MQTT library which caused the conflict.

TL;DR: The error may be caused by creating a class with the same name as a class in the library.

Eclipse Mqtt paho throws java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

2 Answers2