You are viewing a plain text version of this content. The canonical link for it is here.
Posted to log4j-dev@logging.apache.org by Roger Whitcomb <Ro...@actian.com> on 2015/07/09 22:49:57 UTC

Question about unsigned manifest entry in log4j-1.2.17.jar

Hi all,
                I know that the 1.2 version is at EOL, and you've probably been asked this about a million times (although I can't find a mention doing a Jira search: "Zarro Boogs found.")  Anyway, here's the scenario:

*         Using some other Apache Commons libraries (Commons VFS, Commons Lang, etc.) and some other 3rd party jars also, so I end up using slf4j-log4j12-1.7.5.jar and then Log4J 1.2 (1.2.17 to be exact).

*         This is an applet, so after Java 1.7.0_51 the applet has to be signed.  No problem, buy a GoDaddy cert, sign all the .jars.

*         Deploy the app and I'm still getting a security violation, and it *seems* to be from Log4j-1.2.17.jar which shows this in the log:
cache: signed entry "org.apache.log4j" missing from jar http://..../log4j.jar   (renamed, but same file as log4j-1.2.17.jar)
cache: Create from verifier: JarSigningData{hasOnlySignedEntries=true, hasSingleCodeSource=true, hasMissingSignedEntries=true}

*         The original manifest of the unsigned jar shows this:
Manifest has 1 entries
---- Manifest entries for '..\lib\log4j-1.2.17.jar' ----
Attributes for "org.apache.log4j":
    Implementation-Title: log4j
    Implementation-Version: 1.2.17
    DynamicImport-Package: *
    Implementation-Vendor: "Apache Software Foundation"

*         The signed jar shows this:
...
Attributes for "org/apache/log4j/net/SocketAppender.class":
    SHA-256-Digest: LxFYm4tW+Kv9eFGwLKiLhfNBAN9MsCR+LK0sf2nYqvA=
Attributes for "org.apache.log4j":
    Implementation-Title: log4j
    Implementation-Version: 1.2.17
    DynamicImport-Package: *
    Implementation-Vendor: "Apache Software Foundation"
Attributes for "org/apache/log4j/lf5/viewer/LogBrokerMonitor$LogBrokerMonitorWindowAdaptor.class":
    SHA-256-Digest: dhhD0bg0wh1M57GTaR48TXmWFyrCHPH79QFgq1a+rSw=
...

*         Notice that this original manifest entry is not signed (no SHA-256-Digest entry).

*         But "jarsigner -verify" reports everything as correct.

So, since 1.2 is EOL, any suggestions as to how I can resolve this issue?  I suppose I can redo my logging bridges to use log4j-2.x, but does it have the same issue with the manifest entry?  Or am I barking up the wrong tree and this really isn't the source of my security errors in the applet (although all the other jars report:  cache: Create from verifier: JarSigningData{hasOnlySignedEntries=true, hasSingleCodeSource=true, hasMissingSignedEntries=false} except "log4j.jar").

Pardon if this should go to the users list, but I'm not subscribed there currently...

Thanks,
~Roger Whitcomb
Apache Pivot PMC Chair