Re: [rdf4j-dev] Locationtech spatial4j is causing shaded jar problems du

[Håvard Ottestad <hmottestad@xxxxxxxxx>]

David Smiley merged my PR, so this will get fixed in their next release.

Cheers,

Håvard

On 25 Dec 2018, at 13:48, Håvard Ottestad <hmottestad@xxxxxxxxx> wrote:

Pity.

I’ve opened an issue here: https://github.com/locationtech/spatial4j/issues/168

The other locationtech projects are signed with pgp like rdf4j is, so they aren’t as problematic.

Easiest for us would be if they change their way of signing. 

Cheers,

Håvard

On 25 Dec 2018, at 12:23, Jeen Broekstra <jeen.broekstra@xxxxxxxxx> wrote:

A downgrade is not possible I'm afraid, the version in 2.3 does not support several features we require for geosparql support. There's also a licence incompatibility with that version iirc

Cheers,

Jeen

On Tue, 25 Dec. 2018, 20:08 Håvard Ottestad <hmottestad@xxxxxxxxx wrote:

I propose we downgrade to the spatial4j version we used in 2.3. 

Fat jars are very common in the industry. 

I’ve created a issue on locationtechs github, so maybe we can get them to create a new unsigned release. 

Håvard

On 25 Dec 2018, at 01:48, Jeen Broekstra <jeen.broekstra@xxxxxxxxx> wrote:

I think I understand. First of all what I said earlier about rdf4j jars being signed, that's not quite correct. What rdf4j does is provide a PGP signature for the maven artifacts - this is added as a separate file in the maven repo, and is a maven-specific verification mechanism. What spatial4j have done is sign the jar file itself, which is a different, java-specific, signing mechanism.

The cause of the JNI error you're seeing is that you are including a signed jar (spatial4j) as a dependency, but then re-package that jar (using the shade plugin). When you run the repackaged jar, the JVM detects that the included signature is no longer valid (the jar has been modified after all). This is why changing the configuration of your shade plugin to remove the signature works.

So it's not really a problem in the spatial4j jar itself, nor in rdf4j, but in the fact that you're using the shade plugin to repackage things. It's worth putting a note to this effect in the documentation somewhere I guess.

Oh and a Merry Christmas right back at ya! And to everyone here as well of course :)

Cheers,

Jeen

On Tue, Dec 25, 2018 at 12:59 AM Håvard Ottestad <hmottestad@xxxxxxxxx> wrote:

Hi everyone,

Merry Christmas :)

Here is a working example: https://github.com/hmottestad/signature-problem

The run.sh file will build and run the program. I use java 8, don’t know if that makes a difference.

You can play with two different version of rdf4j, 2.3.2 works fine, 2.4.0 does not. 

The workaround is commented out further down in the pom.xml file. It strips signatures from the spatial4j jars.

This is the error that I see:

Error: A JNI error has occurred, please check your installation and try again

Exception in thread "main" java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

        at sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:330)

        at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:263)

        at java.util.jar.JarVerifier.processEntry(JarVerifier.java:318)

        at java.util.jar.JarVerifier.update(JarVerifier.java:230)

        at java.util.jar.JarFile.initializeVerifier(JarFile.java:383)

        at java.util.jar.JarFile.getInputStream(JarFile.java:450)

        at sun.misc.URLClassPath$JarLoader$2.getInputStream(URLClassPath.java:977)

        at sun.misc.Resource.cachedInputStream(Resource.java:77)

        at sun.misc.Resource.getByteBuffer(Resource.java:160)

        at java.net.URLClassLoader.defineClass(URLClassLoader.java:454)

        at java.net.URLClassLoader.access$100(URLClassLoader.java:73)

        at java.net.URLClassLoader$1.run(URLClassLoader.java:368)

        at java.net.URLClassLoader$1.run(URLClassLoader.java:362)

        at java.security.AccessController.doPrivileged(Native Method)

        at java.net.URLClassLoader.findClass(URLClassLoader.java:361)

        at java.lang.ClassLoader.loadClass(ClassLoader.java:424)

        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335)

        at java.lang.ClassLoader.loadClass(ClassLoader.java:357)

        at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:495)

Cheers,

Håvard

PS: Have a Christmas gif: https://imgur.com/a/Gentapt

On 23 Dec 2018, at 23:42, Jeen Broekstra <jeen.broekstra@xxxxxxxxx> wrote:

Actually, RDF4J itself produces signed jars as well. Artifacts being signed with a PGP signature is a requirement for being hosted on the Central repository.

But this SecurityException is worrying. Can you elaborate on the steps you did to get this error (and what you did to work around it)? I haven't personally seen it happen so I wonder what I am doing differently from you.

Jeen

On Mon, Dec 24, 2018 at 3:26 AM Håvard Ottestad <hmottestad@xxxxxxxxx> wrote:

Hi,

In the great Christmas spirit I’ve been using some spare time to do some coding. Fixing some bugs and bumping some versions.

When moving from 2.3.x to 2.4.x my project wouldn’t build anymore due to some java signature validation error.

[ERROR] Exit code: 1 - java.lang.SecurityException: Invalid signature file digest for Manifest main attributes

I’ve traced the error back to this jar file:

org.locationtech.spatial4j:spatial4j:jar

I’m not sure why they need to sign their jar. The only signed jars I’ve seen so far in my life have been the bouncycastle ones, which are crypto libraries.

I’ve found a workaround, but I’m not very happy with this being required of our users. 

Cheers,

Håvard

_______________________________________________
rdf4j-dev mailing list
rdf4j-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/rdf4j-dev

_______________________________________________
rdf4j-dev mailing list
rdf4j-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/rdf4j-dev

_______________________________________________
rdf4j-dev mailing list
rdf4j-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/rdf4j-dev

_______________________________________________
rdf4j-dev mailing list
rdf4j-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/rdf4j-dev

_______________________________________________
rdf4j-dev mailing list
rdf4j-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/rdf4j-dev

_______________________________________________
rdf4j-dev mailing list
rdf4j-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/rdf4j-dev