You are viewing a plain text version of this content. The canonical link for it is here.
Posted to log4j-dev@logging.apache.org by Roger Whitcomb <Ro...@actian.com> on 2015/07/09 22:49:57 UTC
Question about unsigned manifest entry in log4j-1.2.17.jar
Hi all,
I know that the 1.2 version is at EOL, and you've probably been asked this about a million times (although I can't find a mention doing a Jira search: "Zarro Boogs found.") Anyway, here's the scenario:
* Using some other Apache Commons libraries (Commons VFS, Commons Lang, etc.) and some other 3rd party jars also, so I end up using slf4j-log4j12-1.7.5.jar and then Log4J 1.2 (1.2.17 to be exact).
* This is an applet, so after Java 1.7.0_51 the applet has to be signed. No problem, buy a GoDaddy cert, sign all the .jars.
* Deploy the app and I'm still getting a security violation, and it *seems* to be from Log4j-1.2.17.jar which shows this in the log:
cache: signed entry "org.apache.log4j" missing from jar http://..../log4j.jar (renamed, but same file as log4j-1.2.17.jar)
cache: Create from verifier: JarSigningData{hasOnlySignedEntries=true, hasSingleCodeSource=true, hasMissingSignedEntries=true}
* The original manifest of the unsigned jar shows this:
Manifest has 1 entries
---- Manifest entries for '..\lib\log4j-1.2.17.jar' ----
Attributes for "org.apache.log4j":
Implementation-Title: log4j
Implementation-Version: 1.2.17
DynamicImport-Package: *
Implementation-Vendor: "Apache Software Foundation"
* The signed jar shows this:
...
Attributes for "org/apache/log4j/net/SocketAppender.class":
SHA-256-Digest: LxFYm4tW+Kv9eFGwLKiLhfNBAN9MsCR+LK0sf2nYqvA=
Attributes for "org.apache.log4j":
Implementation-Title: log4j
Implementation-Version: 1.2.17
DynamicImport-Package: *
Implementation-Vendor: "Apache Software Foundation"
Attributes for "org/apache/log4j/lf5/viewer/LogBrokerMonitor$LogBrokerMonitorWindowAdaptor.class":
SHA-256-Digest: dhhD0bg0wh1M57GTaR48TXmWFyrCHPH79QFgq1a+rSw=
...
* Notice that this original manifest entry is not signed (no SHA-256-Digest entry).
* But "jarsigner -verify" reports everything as correct.
So, since 1.2 is EOL, any suggestions as to how I can resolve this issue? I suppose I can redo my logging bridges to use log4j-2.x, but does it have the same issue with the manifest entry? Or am I barking up the wrong tree and this really isn't the source of my security errors in the applet (although all the other jars report: cache: Create from verifier: JarSigningData{hasOnlySignedEntries=true, hasSingleCodeSource=true, hasMissingSignedEntries=false} except "log4j.jar").
Pardon if this should go to the users list, but I'm not subscribed there currently...
Thanks,
~Roger Whitcomb
Apache Pivot PMC Chair