I had a very similar problem; when I included a signed JAR (bouncycastle) in the project. Its signature was repackaged verbatim, resulting in an obvious SecurityException:
java.lang.SecurityException: Invalid signature file digest for
Manifest main attributes
Filtering of all sorts failed; the solution that works for me looks like this in the pom.xml:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<version>2.8</version>
<executions>
<execution>
<id>unpack-dependencies</id>
<phase>package</phase>
<goals>
<goal>unpack-dependencies</goal>
</goals>
<configuration>
<excludes>META-INF/*.SF,META-INF/*.DSA,META-INF/*.RSA</excludes>
...
</configuration>
</execution>
</executions>
</plugin>
I omitted some lines after the new one with the “excludes” pattern.
This single line was the solution for me – I include the other lines so you can see the placement. (I had trouble with many other postings which omitted the context of a tag, so I try to save others this trouble).
Hope that helps others with the same problem.