SecurityException: invalid SHA-256 signature file digest with Java 21

[john2home]

Windows 10
OpenWebstart 1.10.1

Our app uses Saxon-HE (https://mvnrepository.com/artifact/net.sf.saxon/Saxon-HE/12.4), among others. The Saxon-JAR is already signed, with our signature the file contains two signature infos.

With Java 17 there are no problems to start the appl per OpenWebstart. if we use java 21 we get the following exception:

net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: Could not initialize application. The application has not been initialized, for more information execute javaws from the command line. at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:593) at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:374) at net.sourceforge.jnlp.Launcher.access$300(Launcher.java:72) at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:661) Caused by: net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: A fatal error occurred while trying to verify jars. An exception has been thrown in class JarCertVerifier. Being unable to read the cacerts or trusted.certs files could be a possible cause for this exception.: Error in verify jar C:\Users\test\.cache\icedtea-web\cache\2\236\Saxon-HE-10.6.jar at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.initializeResources(JNLPClassLoader.java:719) at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.<init>(JNLPClassLoader.java:352) at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.createInstance(JNLPClassLoader.java:425) at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.getInstance(JNLPClassLoader.java:497) at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.getInstance(JNLPClassLoader.java:470) at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:585) ... 3 more Caused by: java.lang.RuntimeException: Error in verify jar C:\Users\test\.cache\icedtea-web\cache\2\236\Saxon-HE-10.6.jar at net.sourceforge.jnlp.tools.JarCertVerifier.verifyJar(JarCertVerifier.java:311) at net.sourceforge.jnlp.tools.JarCertVerifier.verifyJars(JarCertVerifier.java:253) at net.sourceforge.jnlp.tools.JarCertVerifier.add(JarCertVerifier.java:227) at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.initializeResources(JNLPClassLoader.java:712) ... 8 more Caused by: java.lang.SecurityException: invalid SHA-256 signature file digest for net/sf/saxon/expr/Component$1.class at java.base/sun.security.util.SignatureFileVerifier.verifySection(Unknown Source) at java.base/sun.security.util.SignatureFileVerifier.processImpl(Unknown Source) at java.base/sun.security.util.SignatureFileVerifier.process(Unknown Source) at java.base/java.util.jar.JarVerifier.processEntry(Unknown Source) at java.base/java.util.jar.JarVerifier.update(Unknown Source) at java.base/java.util.jar.JarFile.initializeVerifier(Unknown Source) at java.base/java.util.jar.JarFile.getInputStream(Unknown Source) at net.sourceforge.jnlp.util.JarFile.getInputStream(JarFile.java:117) at net.sourceforge.jnlp.tools.JarCertVerifier.verifyJar(JarCertVerifier.java:284) ... 11 more

if you delete the signing info from Saxon-JAR the app also works with java 21.