| Re: [rdf4j-dev] Locationtech spatial4j is causing shaded jar problems due to signatures |
|
Makes sense actually, although it is indeed rare to see signed jars,
but you don't want those self-flying sleighs loaded with presents being hijacked by naughty hackers using spoofed jars... (doesn't entirely prevent it of course, but it's a start...)
Bart From: rdf4j-dev-bounces@xxxxxxxxxxx <rdf4j-dev-bounces@xxxxxxxxxxx> on behalf of Håvard Ottestad <hmottestad@xxxxxxxxx>
Sent: Sunday, December 23, 2018 5:26:23 PM To: rdf4j developer discussions Subject: [rdf4j-dev] Locationtech spatial4j is causing shaded jar problems due to signatures Hi, In the great Christmas spirit I’ve been using some spare time to do some coding. Fixing some bugs and bumping some versions.
When moving from 2.3.x to 2.4.x my project wouldn’t build anymore due to some java signature validation error.
[ERROR] Exit code: 1 - java.lang.SecurityException: Invalid signature file digest for Manifest main attributes
I’ve traced the error back to this jar file:
org.locationtech.spatial4j:spatial4j:jar
I’m not sure why they need to sign their jar. The only signed jars I’ve seen so far in my life have been the bouncycastle ones, which are crypto libraries.
I’ve found a workaround, but I’m not very happy with this being required of our users.
Cheers,
Håvard
|