1

After update to JDK 8u131 we cannot sign some jars anymore. We are using ant's <signjar> task for signing. The signing fails with the following error:

[signjar] jarsigner: unable to sign jar: java.io.IOException:
    Invalid encoding: redundant leading 0s

It is interesting that sometimes the jars are signed successfully, and sometimes the signing is failed. I found the following bug:

https://bugs.openjdk.java.net/browse/JDK-8175251

There people suggest normalizing a pkcs12 file with the following commands:

openssl pkcs12 -in CodeSign.pfx -out key-and-cert -nodes
openssl pkcs12 -in key-and-cert -export -out CodeSign2.pfx

However, even after performing these commands and using the new key file I still get the same "redundant leading 0s" error.

The temporary workaround is to use JDK 8u112 or older.

Any ideas how to fix this issue?

ZhekaKozlov
  • 36,558
  • 20
  • 126
  • 155
  • Can you run signjar with verbose="true" and display the command (without the passwords)? And do you use the option 'tsaurl'? – Ronald Klop Sep 25 '17 at 13:55
  • @RonaldKlop I'm already signing with `verbose="true"` (there is nothing remarkable in the logs). And yes, I'm using `tsaurl="http://timestamp.digicert.com"` – ZhekaKozlov Oct 09 '17 at 04:34

1 Answers1

1

We've encountered the same problem. The latest jdk 1.8.0_151 seems to resolve the issue. A jar detected invalid is not anymore with jarsigner -verify.

user3665349
  • 11
  • 1