We are seeing a similar bug to that described in 5078608. On some machines, we get the following error when validating a large .pack.gz file (j3dcore.jar) that has been unpacked using unpack200.
jarsigner: java.lang.SecurityException: SHA1 digest error for javax/media/j3d/Alpha.class
The sequence of operations on the build machine is:
Then when that taget machine, which may be a different rev of the JVM, unpacks and validates it, it fails on some machines.
One combination that seems to break is if we repack/sign/pack on JDK 6 or 5u11 and then unpack/verify on 5u6 or 5u7.
I have put test files in the following directory:
j3dcore.jar.orig original (unsigned, not repacked)
j3dcore.jar.repacked repacked (but unsigned) jar file
j3dcore.jar signed jar file
j3dcore.jar.pack.gz pack200 jar file
If you verify the j3dcore.jar file it will work on any JVM. If you unpack200 the j3dcore.jar.pack.gz file on 5u6 and then verify it, it will fail.
The workaround described in 5078608 of using "--segment-limit=-1" for both repack and pack seems to work.