Verifying jar files programmatically

Similar Messages

• Error:verifier jar file not found

  Hi,
  I found problem "verifier jar file not found" while building a package in Aspects Developer Evaluation version.
  Pls guide me regarding my problem if any body could.

  Include the offcardverifier.jar file in your classpath, you will find this file under $java_card_kit-2_2_2\lib
  Regards,
  Amr.

• Creating JAR files programmatically

  I am trying to create JAR files programmatically using the java.util.zip and java.util.jar APIs. I am starting with just a set of directories containing .class files. I can seem to make the JAR but if I try to use any of the classes in it they don't work. But, if I unzip the JAR using WinZip, the classes are usable. So I am somehow building the JAR file incorrectly. Does anyone have any ideas or suggestions? The code is pretty long so I won't post it yet but I can send it to you if you'd like to see it. Contact by email if you'd like to see the code. Thanks.

  What paths are you encoding? Here are a couple of rules:
  1 - All paths are '/' separated, and do not begin with a '/'.
  2 - All paths are relative (see 1) and contain the exact package name of the class, plus the class.
  E.G., the class java.lang.Object would look like this in your jar:
  java/lang/Object.classNothing more or less.

• Aspects Developer "Verifier jar file not found error"

  Hello all.
  I'm working in a Java Card project and I have some troubles.
  When I tried to compile, verify and load my solution in Aspects Developer's Software, I achieved the following error message: " could not found Verifier jar file".
  So I couldn't test my applet nor simulate it.
  Then I compiled myself (with Java Card's commands) and execute the verifier file provided with Java Card, and all was good, so i decided to test my java card applet on the simulator or the real card, both with Aspects Developer SW.
  Then the error I got was "Read past end of stream".
  What am I doing in the wrong way?What can I do test my applet in a Simulator?
  Thank very much for your help.
  Regards.
  Mike L.

  Hi,
  This error message indicates that an incompatible version of the Java JDK is being used with Developer.
  The release notes distributed with Developer are a little misleading. Currently Developer supports Java JDK versions greater than 1.2.2 but not 1.4.x. For example, I have JDK 1.3.1_06 installed on my machine.
  Developer currently supports JavaCard development kit 2.1.2 and this specification restricts the versions of JDK that can be used. For more detail look at JCDevKit_User_Guide.pdf which can be found under <JAVA_CARD_INSTALL_DIR>\java_card_kit-2_1_2\doc\en\guides
  Cheers,
  Alasdair

• Verifying signed jar files programmatically

  Hi,
  We need to verify the signatures of jar files without using system commands ( e.g. jarsigner.exe ).
  The code below is how I tried to extract the certificates associated with the jar entries:
  FileInputStream fileIs = new FileInputStream( somefile );
  boolean verify = true;
  JarInputStream jarIs = new java.util.jar.JarInputStream( fileIs, verify );
  JarEntry entry = null;
  while ( ( entry = jarIs.getNextJarEntry() ) != null ) {
  if ( !entry.isDirectory() && ! isManifest( entry ) ) {
  ... read entire the byte stream associated with the entry
  Certificate[] certs = entry.getCertificates();
  // certs always returns null
  I am not able to extract certificates associated with the jarentries this way, because the entry.getCertificates always return null.
  What is it that I do not understand? Is there a way to do this?
  regards,
  jorrit

  I got the same problem. And I have done some experiment. The code below it works. Note: in order to use the code direcctly, the last entry has to be class that has a certificate. You might try with a signed jar that have only one class inside. I am lazy to write for other cases.
     try {
        File file = new File(jarFilename);
        FileInputStream fileIs = new FileInputStream(file);
        boolean verify = true;
        JarInputStream jarIs =
              new java.util.jar.JarInputStream(fileIs, verify);
        JarEntry entry = null;
        JarEntry Entry = null;
        while ((entry = jarIs.getNextJarEntry()) != null ) {
           if (!entry.isDirectory()) {
              Entry = entry;
        Certificate[] certs = Entry.getCertificates();
        if(certs == null)
           System.out.println("The entry has no certificate.");
        else {
           System.out.println(Array.getLength(certs));
           for(int i = 0; i < Array.getLength(certs); i++)
              System.out.println(certs.toString());
  } catch (Exception e) {
  System.out.println("Something went wrong.");
  System.out.println(e.toString());
  The problem is that we need to read the jarIs until you reach the last entry before you getCertificates. I sounds stupid, isn't it.
  Enjoy your work.
  Nawa

• Create a jar file programmatically using runtime.getruntime??

  try
                 String s[]={"cmd.exe","/c","C:\\programfiles\\java\\jdk1.6.0\\bin\\jar.exe","-cfm","jarname.jar","manifest.mft","classes.class"};
                 Runtime.getRuntime().exec(s);
            catch(Exception er)
            }i want to ask, why this code doestn work, i want to create a jar file using the runtime.getruntime.exec command..
  please correct me, thanks
  is it possible??
  thanks,

  Probably because the working directory is not where you expect so does not contain the 'classes' directory or the manifest file. You can define the working directory by using the exec() command that has 3 arguments (setting the second to null) or you can use the full paths to the files/directories.
  If you have no done so then you should certainly read
  http://www.javaworld.com/javaworld/jw-12-2000/jw-1229-traps.html
  Edit: I just looked again at your post - 'classes.class' seems a funny name for your class file or for the root directory for your class files. Have you tested the 'jar' command from the command line? if not then do so.
  Edited by: sabre150 on Jan 8, 2008 9:54 AM

• Problem in Creating a jar file using java.util.jar and deploying in jboss 4

  Dear Techies,
  I am facing this peculiar problem. I am creating a jar file programmatically using java.util.jar api. The jar file is created but Jboss AS is unable to deploy this jar file. I have also tested that my created jar file contains the same files. When I create a jar file from the command using jar -cvf command, Jboss is able to deploy. I am sending the code , please review it and let me know the problem. I badly require your help. I am unable to proceeed in this regard. Please help me.
  package com.rrs.corona.solutionsacceleratorstudio.solutionadapter;
  import java.io.File;
  import java.io.FileInputStream;
  import java.io.FileOutputStream;
  import java.util.jar.JarEntry;
  import java.util.jar.JarOutputStream;
  import java.util.jar.Manifest;
  import com.rrs.corona.solutionsacceleratorstudio.SASConstants;
  * @author Piku Mishra
  public class JarCreation
       * File object
       File file;
       * JarOutputStream object to create a jar file
       JarOutputStream jarOutput ;
       * File of the generated jar file
       String jarFileName = "rrs.jar";
       *To create a Manifest.mf file
       Manifest manifest = null;
       //Attributes atr = null;
       * Default Constructor to specify the path and
       * name of the jar file
       * @param destnPath of type String denoting the path of the generated jar file
       public JarCreation(String destnPath)
       {//This constructor initializes the destination path and file name of the jar file
            try
                 manifest = new Manifest();
                 jarOutput = new JarOutputStream(new FileOutputStream(destnPath+"/"+jarFileName),manifest);
            catch(Exception e)
                 e.printStackTrace();
       public JarCreation()
       * This method is used to obtain the list of files present in a
       * directory
       * @param path of type String specifying the path of directory containing the files
       * @return the list of files from a particular directory
       public File[] getFiles(String path)
       {//This method is used to obtain the list of files in a directory
            try
                 file = new File(path);
            catch(Exception e)
                 e.printStackTrace();
            return file.listFiles();
       * This method is used to create a jar file from a directory
       * @param path of type String specifying the directory to make jar
       public void createJar(String path)
       {//This method is used to create a jar file from
            // a directory. If the directory contains several nested directory
            //it will work.
            try
                 byte[] buff = new byte[2048];
                 File[] fileList = getFiles(path);
                 for(int i=0;i<fileList.length;i++)
                      if(fileList.isDirectory())
                           createJar(fileList[i].getAbsolutePath());//Recusive method to get the files
                      else
                           FileInputStream fin = new FileInputStream(fileList[i]);
                           String temp = fileList[i].getAbsolutePath();
                           String subTemp = temp.substring(temp.indexOf("bin")+4,temp.length());
  //                         System.out.println( subTemp+":"+fin.getChannel().size());
                           jarOutput.putNextEntry(new JarEntry(subTemp));
                           int len ;
                           while((len=fin.read(buff))>0)
                                jarOutput.write(buff,0,len);
                           fin.close();
            catch( Exception e )
                 e.printStackTrace();
       * Method used to close the object for JarOutputStream
       public void close()
       {//This method is used to close the
            //JarOutputStream
            try
                 jarOutput.flush();
                 jarOutput.close();
            catch(Exception e)
                 e.printStackTrace();
       public static void main( String[] args )
            JarCreation jarCreate = new JarCreation("destnation path where jar file will be created /");
            jarCreate.createJar("put your source directory");
            jarCreate.close();

  Hi,
  I have gone through your code and the problem is that when you create jar it takes a complete path address (which is called using getAbsolutePath ) (when you extract you see the path; C:\..\...\..\ )
  You need to truncate this complete path and take only the path address where your files are stored and the problem must be solved.

• How to use jar -C programmatically

  Hi,
  I am creating a jar file programmatically.
  I want to use jar -C option.
  e.g jar -cvf myjar.jar -C anotherDir .
  Can anybody tell me how to do it?

  Hi,
  I am creating a jar file programmatically.
  I want to use jar -C option.
  e.g jar -cvf myjar.jar -C anotherDir .
  Can anybody tell me how to do it?Why not offer dukes man :-)
  Sq2000

• Modifying JAR file using java.util.jar package  over the network

  Hello,
  I am modifying a JAR file programmatically using java.util.jar package. The time taken to save the contents to a local disk is very less (around 1 sec) . When I tried modifying the JAR from a remote machine over the network (from mapped drive or shared folder of WIN NT), the time taken to save is 15-20 times more.
  I am recreating the whole JAR while modifying. Is there any way to improve the performance. Or is it possible to write only the changed files?
  Thanks,
  Prasad Y S.

  When you "update" a jar file, you must always recreate it from scratch.

• Is it possible to verify a signed jar-file from a program?

  Is it possible to verify a signed jar-file from a program
  (using some API) likewise jarsigner does?

  Is it possible to verify a signed jar-file from a
  program
  (using some API) likewise jarsigner does?Hi,
  You would have to open the jarfile, read each jar entry and for each of them do a getCertificates() and then in turn verify each certificate with the public key of the enclosed certificates in the jar file.
  An easier solution would be to use the verify flag of the JarFile or JarInputStream.
  Hope it helps..
  Cheers,
  Vijay

• Verify modified jar files

  Hi all,
  I would like to address a few issues that I have with signed jar files.
  1. I have signed a jar file and am still able to open and change in WinZip. Can I encrypt it so that the contents are not visible in WinZip. If I have an XML or a Text file. I can still change it in WinZip and after I verify it, it verifies successfully, even though the file structure and time-stamp changed.
  Web Start does not recognize the change in the time-stamp because the time on the client is newer than the timestamp of the jar file on the server and hence It does not update.
  Any ones thoughs?
  Thank you
  Sameer Jaffer

  1. I have signed a jar file and am still able to open
  and change in WinZip.Which is correct behaviour.
  A signed jar is a jar which comes with a list of signatures for
  its entries.
  The META-INF/MANIFEST.MF lists entries plus their cryptographic hash number.
  The idea is not to hide content, but to show that the contents are authentic, by providing others a means to calculate and compare cryptographic hash numbers.
  Can I encrypt it so that the
  contents are not visible in WinZip. If I have an XML
  or a Text file. I can still change it in WinZip and
  after I verify it, it verifies successfully, This is strange. I guess that xml or test file doesn't show up in the manifest.
  It should look like this:
  Manifest-Version: 1.0
  Main-Class: com.foo.bar
  Created-By: 1.3.0 (IBM Corporation)
  Name: org/w3c/dom/html/HTMLDivElement.class
  SHA1-Digest: KEGYSI2N6pAlc/5X7uVJu8JgEz0=
  Name: com/klg/jclass/util/swing/icons/JCBraceIcon32.gif
  SHA1-Digest: WPiVbRyUePXzwDmBwRJVAsrN6Qo=
  Because you should have provided a new hash once you changed the entry.
  Otherwise Web Start, when verifying the entries (which means it calculates its own hash numbers of the jar entries and then compares them to the hash number listed in the manifest) should complain.
  Regards,
  Marc

• Can I progamatically sign a jar file?  i.e. w/o jarsigner tool

  Hi,
  I am new to development and am using Ant to build my packages.
  I need to sign the jar files that I produce, and now the only way I know how is with jarsigner.
  I'd like to find a way to do the signing within Ant, but can't find one.
  Is that possible?
  George

  I'm having trouble with the opposite: I'm trying to verify a signed jar programmatically.
  I've already read this article, and thought that I could do similar things in order to verify.
  However, this code uses classes from sun.security.util, and I couldn't find any documentation of this package.
  Any suggestion will be greatly appreciated!

• How to include the mysql-connector in a simple .jar file

  Well I started up with java again. Just messing around. This project I'm making now is just plain simple, I have a program thats going to read a table in a database from a server I have here at home. It works fine if I do like this: java javafil to run the file, it reads from the database fine.
  But when I made a .jar file out of it using this command: jar cmf manifest.txt javafile.jar *.class
  It won't connect to the database. Or it doesn't print out the rows in the table. So I thought I have to include the mysql-connector with the .jar.
  manifest.txt
  Main-Class: javafile
  Now what is an easy way to do this?
  This program is also going to be run from a computer that might not have the mysql-connector installed on the computer. Like a friend of mine wants to connect to the database and read it.
  I've tried to google "mysql connector in a .jar file" but I get tons of informations about the mysql-connector.jar instead of what I'm looking for.
  Thanks,
  Torbj�rn Svae
  Edited by: LordSvae on 19.jun.2008 14:52

  LordSvae wrote:
  Yeah but the other computer might not have that connector file on their computer. So is there like I way I can use it when it is in the .jar file? Thats kinda what I wanted. You cannot include another JAR in a JAR file. You however can extract it and put the classes in your JAR. Verify the license agreement if it is allowed. Although this is considered as a bad practice (poor upgradebility and maintainability).
  If you don't want to use the -cp parameter, then use the class-path entry of the manifest.mf of your JAR. You can also write a batch file with the whole JAR -cp command in a single line and run the batch file instead.
  Pluss, even though I have the right classpath in the environment variables set, it doesn't work for me either. So I guess it doesn't load the connector when running the .jar file.The classpath environment variable has nothing to do with running JAR's. Forget about it and use the -cp or -classpath parameter.

• How to access a jar file in EAR file?

  I have a EAR file which contains EJB.jar file and util.jar file. Outside of EAR, I mean in client side, I need to reference util.jar file. How can I access it?
  EAR structure is
  |--+META-INF/
  |--|---application.xml
  |--|---manifest.mf
  |--EJB.jar
  |--|---+MEAT-INF/
  |--|---|--- deployment descriptors...
  |--|---|--- manifest.mf
  |--|--- EJB classes
  |--Util.jar
  Util.jar must be executed in server side. If I just add Util.jar in client program's classpath, when client program is executed, serverside Util.jar is executed? Or what else I should do in the client program to reference server-side Util.jar?

  Excellent question. I don't see any client-jar in your EAR file structure. So I am assuming you are writing a separate client application which will talk to the ejbs deployed as part of this EAR. You need to do the following:
  Write another EAR file with the following structure:
  ear:
  META-INF/application.xml
  util.jar
  client.jar
  client.jar should have a META-INF/MANIFEST.MF and that should contain Class-Path:util.jar and value for Main-Class attribute.
  Now deploy this new ear to your application server and execute it using Application Client Container that comes with your app server.
  If you don't want to write another EAR file, then bundle th client.jar in your original EAR file.
  Points to note are:
  you have to repackage util.jar again inside this ear file.
  For portability reason, you should use Class-Path manifest entry in client.jar. Refer to http://java.sun.com/j2ee/verified/packaging.html and J2EE platform spec section #8.2.
  Hope this helps,
  Sahoo

• Problems with signed JAR files in JWS/JRE6 environment.

  Hello All,
  I'm encountering a problem running our desktop application as a Java Web Start deployment in a JRE 6 environment. There were never any problems when running the same application as a JWS deployment in JRE 1.4, or 5, environments. There are also currently no problems in a JRE 6 environment when running the application as a standard desktop application.
  The problem which I am having has nothing to do with launching the application. But for good measure, I verified the JNLP file with JaNeLA. A couple things we out of order, which I addressed to make JaNeLA happy, but my problem still persists. Here is my JNLP file (anonymized to protect the innocent):
  TS: 2010-10-18 17:04:46
  <?xml version="1.0" encoding="UTF-8"?>
  <jnlp codebase="$$codebase" href="$$name">
       <information>
            <title>Acme Desktop</title>
            <vendor>Acme Corporation</vendor>
            <homepage href="http://www.acme.com/"/>
            <description>Acme Client for Acme Server</description>
            <description kind="tooltip">Acme Client for Acme Server</description>
            <icon href="desktop.gif"/>
            <offline-allowed/>
       </information>
       <security>
            <all-permissions/>
       </security>
       <resources>
            <j2se version="1.5+"/>
            <jar href="acmedesktop.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/antlr-2.7.2.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/backport-util-concurrent.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/commons-codec-1.3.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/commons-httpclient.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/commons-logging.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/acmeapi.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/HelpJavaDT.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/HelpJavaDT_es.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/jacorb.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/Multivalent.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/slf4j-api-1.5.6.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/slf4j-jdk14-1.5.6.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/snow.jar" download="lazy" version="8.00.01.00+"/>
            <jar href="lib/AcmeTMClient.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/xercesImpl.jar" download="eager" version="8.00.01.00+"/>
            <jar href="lib/xml-apis.jar" download="eager" version="8.00.01.00+"/>
            <extension name="installer" href="desktopInstaller.jnlp" />
            <extension name="Java Help" href="help.jnlp"/>
            <property name="java.library.path" value="./lib"/>
            <property name="admin" value="false"/>
            <property name="webstart" value="true"/>          
            <!-- The following two lines are for SSO implementation only
            <property name="urladdress" value="http://localhost:8080/AcmeDesktop/servlet/AcmeServlet"/>
            <property name="cookiespec" value="RFC2109"/>
            -->          
       </resources>
       <resources os="Windows">
            <nativelib href="lib/jniWin32.jar" version="8.00.01.00+"/>
       </resources>
       <application-desc main-class="desktop"/>     
  </jnlp>-----
  When running as a JWS deployment, on JRE 6, the application will be functioning normally for a little while, and then suddenly the following exception is thrown, and the current operation fails because the class in question cannot be accessed:
  java.lang.SecurityException: class "acmeapi.communication.CDocImpl"'s signer information does not match signer information of other classes in the same package
       at java.lang.ClassLoader.checkCerts(ClassLoader.java:807)
       at java.lang.ClassLoader.preDefineClass(ClassLoader.java:488)
       at java.lang.ClassLoader.defineClassCond(ClassLoader.java:626)
       at java.lang.ClassLoader.defineClass(ClassLoader.java:616)
       at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141)
       at java.net.URLClassLoader.defineClass(URLClassLoader.java:283)
       at java.net.URLClassLoader.access$000(URLClassLoader.java:58)
       at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
       at java.security.AccessController.doPrivileged(Native Method)
       at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
       at com.sun.jnlp.JNLPClassLoader.findClass(JNLPClassLoader.java:288)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
       at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
       at acmeapi.common.CDoc.getAnnotationsInfo(CDoc.java:493)
       at acmedesktop.communication.CCommunicationManager.privateGetAnnotations(CCommunicationManager.java:1976)
       at acmedesktop.communication.CCommunicationManager.getAnnotations(CCommunicationManager.java:1828)
       at acmedesktop.annotations.CViewAnnotations.getAnnotations(CViewAnnotations.java:826)
       at acmedesktop.annotations.CViewAnnotations.createView(CViewAnnotations.java:583)
       at acmedesktop.annotations.CViewAnnotations.setData(CViewAnnotations.java:736)
       at acmedesktop.annotations.CViewAnnotations.init(CViewAnnotations.java:205)
       at acmedesktop.hitspanel.CHitsPanel.viewAnnotations(CHitsPanel.java:281)
       at acmedesktop.hitspanel.CHitsTab$3.mousePressed(CHitsTab.java:316)
       at java.awt.AWTEventMulticaster.mousePressed(AWTEventMulticaster.java:263)
       at java.awt.Component.processMouseEvent(Component.java:6260)
       at javax.swing.JComponent.processMouseEvent(JComponent.java:3267)
       at java.awt.Component.processEvent(Component.java:6028)
       at java.awt.Container.processEvent(Container.java:2041)
       at java.awt.Component.dispatchEventImpl(Component.java:4630)
       at java.awt.Container.dispatchEventImpl(Container.java:2099)
       at java.awt.Component.dispatchEvent(Component.java:4460)
       at java.awt.LightweightDispatcher.retargetMouseEvent(Container.java:4574)
       at java.awt.LightweightDispatcher.processMouseEvent(Container.java:4235)
       at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4168)
       at java.awt.Container.dispatchEventImpl(Container.java:2085)
       at java.awt.Window.dispatchEventImpl(Window.java:2478)
       at java.awt.Component.dispatchEvent(Component.java:4460)
       at java.awt.EventQueue.dispatchEvent(EventQueue.java:599)
       at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:269)
       at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:184)
       at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:174)
       at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:169)
       at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:161)
       at java.awt.EventDispatchThread.run(EventDispatchThread.java:122)-----
  The classes of our desktop product are contained within the 'acmedesktop' and 'acmeapi' packages. It requires access to the hard drive of the workstation, and therefore, all jar files included with the application are signed using the following ANT task when compiled:
  <signjar keystore="resources/codesigning/keystore.pfx" storetype="pkcs12" storepass="myPassword" alias="myAlias">
       <fileset dir="${jws_dist}/app" includes="*.jar"/>
       <fileset dir="${jws_dist}/app/lib" includes="*.jar" excludes="jhall__V${dt_version}.jar"/>
  </signjar>-----
  Therefore, all classes, within all jar files, are signed with the same certificate (with the exception of the JavaHelp libraries, which are already signed by Sun - but the class in question attempting to be loaded here is not contained within the JavaHelp jar file anyway). So, the point being, that the exception message stating that the "signer information of the acmeapi.communication.CDocImpl class doesn't match the signer information of other classes in the same package", is simply not correct. All classes within that jar file were signed using the same certificate.
  I downloaded the JRE 6 source from dev.java.net and picked through this issue with a debugger. The ClassLoader.checkCerts() method compares the certificate used to sign the current class which is attempting to be loaded, with the certificates which signed all other previously loaded classes within the same package. If they don't match, the exception above is thrown. What is causing the issue is when the checkCerts() method attempts to get the certificates which signed the currently loading class, null is returned. And obviously, comparing null, with an array of the certificates which signed the previously loaded classes, isn't going to match; therefore this exception is thrown.
  The checkCerts() method gets the certificates of the currently loading class by calling the java.security.CodeSource.getCertificates() method. Tracing deeper in the debugger, the CodeSource object ultimately gets the certificates from the 'signersRef' member variable of the com.sun.deploy.cache.CachedJarFile class. signerRef is a SoftReference object and can therefore be garbage collected at some point. If it has already been garbage collected, the CachedJarFile class will attempt to retrieve it again from the loaded cache entry by calling com.sun.deploy.cache.MemoryCache.getLoadedResource().
  The MemoryCache class maintains the cache entries to the jar files as MemoryCache.CachedResourceReference objects, which subclass WeakReference, and therefore these objects can be garbage collected as well. If the cache entries have also been garbage collected, this leaves the CachedJarFile class with no ability to repopulate the CachedJarFile.signerRef object. Therefore it is completely out of luck getting the certificates which signed the currently loading class, which ultimately causes the above exception.
  When the com.sun.deploy.cache.Cache class attempts to retrieve a cache entry using its getCacheEntry() method, it will attempt to get the entry from the MemoryCache class, if null is returned, it will recreate the cache entry and add it back to the MemoryCache. In contrast, when the CachedJarFile class attempts to get a cache entry from the MemoryCache class, if null is returned, it just gives up.
  (from com.sun.deploy.cache.CachedJarFile:244)
  private CacheEntry getCacheEntry() {
       /* if it was not created by Cache do not search for entry */
       if (resourceURL == null)
            return null;
       CacheEntry ce = (CacheEntry) MemoryCache.getLoadedResource(resourceURL);
       if (ce == null) {
            //This should not happen because CacheEntry should not get collected
            // before CachedJarFile is collected.
            Trace.println("Missing CacheEntry for " + resourceURL + "\n" + ce,
                 TraceLevel.CACHE);
       return ce;
  When debugging, code execution falls within the code block with the comment stating "This should not happen...", but it is happening in my case.
  On an interesting side note, using the jvisualvm.exe tool included with JDK 6, I was able to tell that it seems as though these objects are collected the first time that the JVM allocates more heap space, and then the issue will occur. If I set the initial heap size very large (using -Xms) this issue won't occur at all. But that is kind of a bad solution which I would rather not do, but it is interesting to note for the sake of troubleshooting this issue. The max heap size (-Xmx) is plenty big enough, so the issue is not that we are running out of memory here.
  Does anyone have any insight as to what could be causing this? I've searched, and found a couple threads with similar problems but with no clear solutions. It is not just one workstation either, it happens everywhere I deploy the app as a Java Web Start application in a JRE 6 environment. I have been using version 1.6.0_18 on XP, but it seems to happen on any update version of 1.6. Is the fact that the CachedJarFile class doesn't attempt to reload the resource when it can't retrieve it from MemoryCache a bug? I've dug as deep as I can on this and I'm at wits end, does anybody have any ideas?
  Thank you
  Jake
  Edited by: jkc532 on Nov 12, 2010 10:35 AM

  jkc532 wrote:
  .. Is the fact that the CachedJarFile class doesn't attempt to reload the resource when it can't retrieve it from MemoryCache a bug? From your comprehensive investigation and report, it seems so to me.
  ..I've dug as deep as I can on this and I'm at wits end, does anybody have any ideas?Just after read the summary I was tired, so I have some understanding of the effort you have already invested in this (the 'wits' you have already spent). I think you should raise a bug report and seek Oracle's response.