Signer information does not match

Question

I'm receiving the following error on log file.

(java.lang.SecurityException: class "com.adventnet.snmp.snmp2.SecurityModelTable"'s signer information does not match signer information of other classes in the same package thrown

The thing is when I run the below command, it says the jar is verified.

/usr/jdk/instances/jdk1.5.0/bin/jarsigner -verify -verbose Jarfile.jar

If the jar file is verified then how can this problem occur?

Answer 1

It means that you have two or more classes in the same package with different signature data. Usually that means the classes come from different JARs, one of which is signed and the other is unsigned.

Answer 2

Check the pom dependency tree for same packages of different versions.

I had this issue with itext-2.1.7 including old bouncycastle's bcpkix that was included in a later version elsewhere.

Use this pattern:

<dependency>
  package X
  <exclusions>
    <exclusion>
      old package Y
    </exclusion>
  </exclusions>
</dependency>

<dependency>
  latest package Y
</dependency>

Update: To check the dependency tree details of package_Y you can use mvn dependency:tree -Dverbose -Dincludes=package_Y. For more info check maven documentation on resolving dependency tree problems. Also Eclipse has quite a nice dependency tree viewer.

Answer 3

I encountered this exception while running a Scala/Spark project in Eclipse (Mars) on Windows and it prevented me from debugging and running the project in the IDE. The project used a Maven pom.xml file. It took a while to resolve, so I'm posting detailed steps here to help others:

1. Go to the folder where your project pom.xml file is
2. Run the command: mvn dependency:tree -Dverbose >Depends.Txt Make sure you don't have a Depends.Txt or it will be overwritten!
3. Search in the Depends.Txt file for the unsigned class that the Eclipse IDE is complaining about. In my case, it was javax.servlet.

4. You may find it in a section that looks like this:

   +- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.6.0:provided

   +- javax.servlet:servlet-api:jar:2.5:provided

5. The Maven group ID that you want to exclude the duplicate class from in the above is: hadoop-mapreduce-client-core

6. Add an exclusions section listing the groupid of the exclusion in the pom.xml after the offending package. In my case, this was the groupid javax.servlet.

7. Note that you can't resolve this issue by reordering the Java build path as some have posted for a similar problem.

Answer 4

I encountered this issue in a Spring boot application. My issue was that I had JUnit on the build path which has Org.hamcrest.Matchers.* and Hamcrest which was resident in the library of the Spring framework in my pom.xml for the Eclipse repository. What I did was remove JUnit from my build path and included it only in my pom.xml. My application depended on Maven for JUnit and the *Matchers, so somehow you have two jars for one need, maybe as a library and as a configuration file.