I am using maven-assembly-plugin to build my deployment package. One of our dependencies Jar is bcprov-jdk15on.jar which is a signed JAR. I am using Proguard Shrinking step on top of the maven-assembly-plugin. Proguard basically removes some classes from bcprov-jdk15on.jar which causes the JAR signature verification to fail when JVM load the class.
I am getting this error stack trace
java.lang.SecurityException: SHA-256 digest error for org/bouncycastle/tsp/TSPException.class
at sun.security.util.ManifestEntryVerifier.verify(ManifestEntryVerifier.java:223) ~[?:1.8.0_201]
at java.util.jar.JarVerifier.processEntry(JarVerifier.java:243) ~[?:1.8.0_201]
at java.util.jar.JarVerifier.update(JarVerifier.java:230) ~[?:1.8.0_201]
at java.util.jar.JarVerifier$VerifierStream.read(JarVerifier.java:484) ~[?:1.8.0_201]
at sun.misc.Resource.getBytes(Resource.java:124) ~[?:1.8.0_201]
at java.net.URLClassLoader.defineClass(URLClassLoader.java:463) ~[?:1.8.0_201]
at java.net.URLClassLoader.access$100(URLClassLoader.java:74) ~[?:1.8.0_201]
at java.net.URLClassLoader$1.run(URLClassLoader.java:369) ~[?:1.8.0_201]
at java.net.URLClassLoader$1.run(URLClassLoader.java:363) ~[?:1.8.0_201]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_201]
at java.net.URLClassLoader.findClass(URLClassLoader.java:362) ~[?:1.8.0_201]
at java.lang.ClassLoader.loadClass(ClassLoader.java:424) ~[?:1.8.0_201]
at java.lang.ClassLoader.loadClass(ClassLoader.java:357) ~[?:1.8.0_201]
I can simply use keep options on my Proguard configuration to make this work (no signature verification error). However, since this JAR is pretty big in size (4MB), I want to actually use it against this particular bcprov-jdk15on.jar
Is there a way to unsign a dependency jar using maven-assembly-plugin?
According to this, I need to simply remove the Manifest file and all the signature related files (.SF, .DSA)? Is there a way to exclude META-INF folder from dependencySets using maven-assembly-plugin?
Thank you.
