Thanks Stéphane - the edit at the end of your question helped me "fix" the same problem. For anyone else who hits this as well - here is an expanded answer. This is what you need to "fix" things in your pom (until Eclipse fix things properly):

谢谢 Stéphane - 您问题末尾的编辑帮助我“解决”了同样的问题。对于也遇到此问题的任何其他人 - 这是一个扩展的答案。这是你需要在你的 pom 中“修复”东西（直到 Eclipse 正确修复东西）：

<!-- See https://stackoverflow.com/q/45870753 -->
<dependency>   
    <groupId>org.eclipse.persistence</groupId>
    <artifactId>eclipselink</artifactId>
    <version>2.7.0</version>
    <exclusions>
        <exclusion>
            <groupId>org.eclipse.persistence</groupId>
            <artifactId>javax.persistence</artifactId>
        </exclusion>
    </exclusions>
</dependency>
<dependency>
    <groupId>org.eclipse.persistence</groupId>
    <artifactId>javax.persistence</artifactId>
    <version>2.1.1</version>
</dependency>

This pulls in eclipselinkbut excludes the javax.persistencedependency that it tries to pull in and replaces it with an earlier version of javax.persistencethat doesn't have the signing issue.

这会引入eclipselink但排除javax.persistence它尝试引入的依赖项，并将其替换为javax.persistence没有签名问题的早期版本。

Aside: javax.persistenceversion 2.2.0is explicitly pulled in, in the pom fragment shown in the original question, despite already being a transitive dependency of eclipselink.

旁白：javax.persistence版本2.2.0明确，拉到，在原来的问题所示的POM片段，尽管已经是一个传递依赖eclipselink。

Explanation

解释

Summary - the eclipselinkartifact depends on javax.persistenceand both contain classes that are in the package javax.persistence. However the javax.persistencejar is signed while the eclipselinkone is not. So the Java runtime will complain, when loading a class from the package javax.persistencein the eclipselinkjar, that it's lack of signing doesn't match with classes already loaded from the same package in the javax.persistencejar.

摘要 -eclipselink工件依赖于javax.persistence并且都包含包中的类javax.persistence。然而，javax.persistence罐子有签名，而罐子eclipselink没有。所以Java运行时会报错，从包中装载一个类时，javax.persistence在eclipselink罐子，它缺乏签署不匹配来自同一个包中装载的类javax.persistence罐子。

Details - if I put a breakpoint in java.util.concurrent.ConcurrentHashMap.putIfAbsent(K, V)with condition "javax.persistence".equals(arg0)then I see that javax.persistenceis mapped to the following CodeSourcevalue:

详细信息 - 如果我在java.util.concurrent.ConcurrentHashMap.putIfAbsent(K, V)条件中放置一个断点，"javax.persistence".equals(arg0)那么我会看到它javax.persistence映射到以下CodeSource值：

(file:/Users/georgehawkins/.m2/repository/org/eclipse/persistence/javax.persistence/2.2.0/javax.persistence-2.2.0.jar [
[
  Version: V3
  Subject: CN="Eclipse Foundation, Inc.", OU=IT, O="Eclipse Foundation, Inc.", L=Ottawa, ST=Ontario, C=CA
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
  ...

I.e. javax.persistence-2.2.0.jaris signed by the Eclipse Foundation and contains classes in the package javax.persistence. This jar is pulled in when some part of my application (actually something deep in Spring logic) tries to load javax.persistence.EntityManagerFactory.

即javax.persistence-2.2.0.jar由 Eclipse Foundation 签名并在包中包含类javax.persistence。当我的应用程序的某些部分（实际上是 Spring 逻辑的深层内容）尝试加载javax.persistence.EntityManagerFactory.

If I then put a breakpoint in java.lang.ClassLoader.checkCerts(String, CodeSource)on the throw new SecurityExceptionline I then see that it hits this line when the passed in CodeSourceis:

如果我然后java.lang.ClassLoader.checkCerts(String, CodeSource)在该throw new SecurityException行上放置一个断点，那么当传入的CodeSource是：

(file:/Users/georgehawkins/.m2/repository/org/eclipse/persistence/eclipselink/2.7.0/eclipselink-2.7.0.jar <no signer certificates>)

I.e. eclipselink-2.7.0.jaralso contain classes that are in the javax.persistencepackage but it is unsigned so a clash occurs that results in a SecurityExceptionbeing thrown. This happens when something (also deep in Spring logic) tries to load javax.persistence.PersistenceUtil.

即eclipselink-2.7.0.jar还包含javax.persistence包中的类，但它是未签名的，因此发生冲突导致SecurityException抛出。当某些东西（也在 Spring 逻辑中很深）试图加载javax.persistence.PersistenceUtil.

If I look at the output of mvn dependency:treeI see that this mismatch seems to be down to eclipselinkitself - it is pulling in org.eclipse.persistence:javax.persistence:jar:2.2.0itself. I.e. it isn't some clash with some other dependency:

如果我查看 的输出，mvn dependency:tree我会发现这种不匹配似乎eclipselink是由其org.eclipse.persistence:javax.persistence:jar:2.2.0自身造成的——它本身就是在拉扯。即它与其他一些依赖关系没有冲突：

[INFO] |  \- org.eclipse.persistence:eclipselink:jar:2.7.0:compile
[INFO] |     +- org.eclipse.persistence:javax.persistence:jar:2.2.0:compile
[INFO] |     +- org.eclipse.persistence:commonj.sdo:jar:2.1.1:compile
[INFO] |     +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |     \- org.glassfish:javax.json:jar:1.0.4:compile

I've logged this now at bugs.eclipse.org - see bug 525457.

我现在已经在 bugs.eclipse.org 上记录了这个——参见 bug 525457。

To fix this issue, put in the correct JPA 2.2 compliant dependency for EclipseLink 2.7.x, in your maven pom file, as:

要解决此问题，请在您的 maven pom 文件中为 EclipseLink 2.7.x 放入正确的符合 JPA 2.2 的依赖项，如下所示：

<dependency>
    <groupId>org.eclipse.persistence</groupId>
    <artifactId>org.eclipse.persistence.jpa</artifactId>
    <version>2.7.1</version>
</dependency>

eclipselink.jar as such is designed as all-in-one bundle, not osgi enabled jar containing all partsof eclipselink project (ie sdo, oracle db specific stuff, dbws, nosql..) with ability to run with jpa api 2.0 on the classpath - at least in 2.x versions. In many cases this is not needed and proper components can be used instead, such as org.eclipse.persistence.jpa, org.eclipse.persistence.oracle etc. For the full list see ie: http://search.maven.org/#search%7Cga%7C1%7Corg.eclipse.persistence

eclipselink.jar 本身被设计为一体式捆绑包，而不是包含 eclipselink 项目所有部分（即 sdo、oracle db 特定内容、dbws、nosql ..）的启用 osgi 的 jar，能够在类路径上使用 jpa api 2.0 运行- 至少在 2.x 版本中。在许多情况下，这不是必需的，可以使用适当的组件代替，例如 org.eclipse.persistence.jpa、org.eclipse.persistence.oracle 等。有关完整列表，请参见 ie：http: //search.maven.org /#search%7Cga%7C1%7Corg.eclipse.persistence

This strange situation still seems to exist, in my case not using Maven, just trying to get a simple JPA example to run (and it is really frustrating if you need hours just to achieve that).

这种奇怪的情况似乎仍然存在，在我没有使用 Maven 的情况下，只是试图运行一个简单的 JPA 示例（如果您需要几个小时来实现这一点，这真的令人沮丧）。

With 2.7.4 from January, this error occurs if you put the eclipselink.jar and jakarta.persistence_2.2.2.jar from the zip on the classpath.

对于 1 月的 2.7.4，如果将 eclipselink.jar 和 jakarta.persistence_2.2.2.jar 放在类路径上，则会发生此错误。

In the end solution was to change order on the classpath: first the jakarta-persistence and only after that the eclipselink-jar. So all javax.persistence classes are taken from jakarta-jar and not partly of the eclipselink-jar (if included there).

最终的解决方案是更改类路径上的顺序：首先是 jakarta-persistence，然后是 eclipselink-jar。因此，所有 javax.persistence 类都取自 jakarta-jar 而不是 eclipselink-jar（如果包含在那里）的一部分。

So I really wonder various things.

所以我真的很想知道各种各样的事情。

The eclipselink package should be all-in-one? But it is not. Some javax.persistence classes are contained. Others not - basic classes to be used in JPA code like EntityManager. Of course, together with the jakarta-jar included in the zip it is complete - but you may not use the two jars together with the "wrong" order on the classpath!? I really consider this a bug - or at least there should be a HUGE hint about this in the package then.

eclipselink 包应该是一体机吧？但事实并非如此。包含一些 javax.persistence 类。其他的不是 - 在 JPA 代码中使用的基本类，如 EntityManager。当然，连同包含在 zip 中的 jakarta-jar 一起它是完整的 - 但是您不能将这两个 jar 与类路径上的“错误”顺序一起使用！？我真的认为这是一个错误 - 或者至少在包中应该有一个关于这个的巨大提示。

What is the org.eclipse.persistence.jpa-2.7.4.jar from Maven that is suggested here? It does not have the problems of the eclipselink.jar yes, not this error message. But then it also just seems not to include the Eclipselink JPA implementation, at least running with it I got error that persistence-unit referenced in code does not exist (same persistence.xml working with eclipselink.jar).

这里建议的 Maven 的 org.eclipse.persistence.jpa-2.7.4.jar 是什么？它没有eclipselink.jar的问题是的，没有这个错误信息。但是它似乎也不包含 Eclipselink JPA 实现，至少在运行它时我得到了代码中引用的持久性单元不存在的错误（相同的persistence.xml 与 eclipselink.jar 一起使用）。

Strange situation.

奇怪的情况。

My project was working on JDK-8, but stopped to work when I upgraded it to openJDK-11. I solved it excluding the jpa-persistencemodule, and adding again on the version 2.2:

我的项目在 JDK-8 上工作，但当我将它升级到 openJDK-11 时停止工作。我解决了它不包括jpa-persistence模块，并在版本上再次添加2.2：

   dependencies.create('org.eclipse.persistence:eclipselink:2.7.4') {
      exclude module: "javax.persistence"
   },
   'javax.persistence:javax.persistence-api:2.2', //add it again, manually
   'org.eclipse.persistence:org.eclipse.persistence.asm:2.7.4',
   'org.eclipse.persistence:org.eclipse.persistence.antlr:2.7.4',
   'org.eclipse.persistence:org.eclipse.persistence.moxy:2.7.4',
   'org.eclipse.persistence:org.eclipse.persistence.core:2.7.4'

Obinna's answer is correct; I guess that there was an issue with eclipselink 2.7.x –as George indicated. I had a similar issue when upgrading eclipselink, but it was just wrong artefacts. The initially described issue seems to be a result of externally referencing javax.persistence level - it is definitely not necessary.

奥宾娜的回答是正确的；我猜 eclipselink 2.7.x 存在问题——正如 George 指出的那样。我在升级 eclipselink 时遇到了类似的问题，但这只是错误的人工制品。最初描述的问题似乎是外部引用 javax.persistence 级别的结果 - 这绝对没有必要。

Proper maven configuration can be found in eclipselink wiki: https://wiki.eclipse.org/EclipseLink/Maven

可以在 eclipselink wiki 中找到适当的 Maven 配置：https://wiki.eclipse.org/EclipseLink/Maven

I fixed this by switching the order in which the jars appear in the classpath. In my case, I'm using Tomcat and had to modify catalina.properties to put javax before eclipselink.

我通过切换 jars 在类路径中出现的顺序来解决这个问题。就我而言，我使用的是 Tomcat，并且必须修改 catalina.properties 以将 javax 放在 eclipselink 之前。

I also run into this problem, with my case being a bit different, in that I am not using Maven. However, I place an answer here, as it might give people an idea about how to deal with this in their own situation. After all, the title is about this mismatch, in general, one sub-case being when using Maven.

我也遇到了这个问题，我的情况有点不同，因为我没有使用 Maven。但是，我在这里给出了一个答案，因为它可能会让人们了解如何在他们自己的情况下处理这个问题。毕竟，标题是关于这种不匹配的，一般来说，一个子案例是使用 Maven 时。

I am using eclipselink in a NetBeans project. Initially, I was placing both the the eclipselink jar file (eclipselink-2.7.0.jar) and the needed org.eclipse.persistence jar files as external libraries to my project. Comments by Sergeyand entreprenrabove are what actually lead me to solve my problem. What I had to do was create a new library (Tools->Libraries->New Library...) which does notcontain the eclipselink jar file (i.e. eclipselink-2.7.0.jaris not added in the library), only the specific org.eclipse.persistence jar files that are necessary for the project, e.g. org.eclipse.persistence.antlr-2.7.0.jar, org.eclipse.persistence.asm-2.7.0.jar, org.eclipse.persistence.core-2.7.0.jar, org.eclipse.persistence.jpa.modelgen.processor-2.7.0.jar, org.eclipse.persistence.jpa-2.7.0.jar, etc. I then added this library to my project and the exception vanished.

我在 NetBeans 项目中使用 eclipselink。最初，我将 eclipselink jar 文件 ( eclipselink-2.7.0.jar) 和所需的 org.eclipse.persistence jar 文件作为外部库放置到我的项目中。上面Sergey和entreprenr 的评论实际上引导我解决了我的问题。我必须做的是创建一个不包含 eclipselink jar 文件（即eclipselink-2.7.0.jar未添加到库中）的新库（工具->库->新库... ），只有特定的 org.eclipse.persistence jar文件所必需的项目，例如org.eclipse.persistence.antlr-2.7.0.jar，org.eclipse.persistence.asm-2.7.0.jar，org.eclipse.persistence.core-2.7.0.jar，org.eclipse.persistence.jpa.modelgen.processor-2.7.0.jar，org.eclipse.persistence.jpa-2.7.0.jar，等我加入这个库到我的项目和异常消失。

Of course, I also had to replace all org.eclipse.persistence jar files on my server with their 2.7.0 version and also replace the javax.persistence.jarwith its 2.2.0 version (I use payara, so these are located under <payara_home>\glassfish\modules).

当然，我还必须用 2.7.0 版本替换我服务器上的所有 org.eclipse.persistence jar 文件，并javax.persistence.jar用 2.2.0 版本替换它（我使用 payara，所以它们位于 下<payara_home>\glassfish\modules）。

I'm using gradle in my project build and to solve the OP's problem, which I had as well, I finally used the following working setup.

我在我的项目构建中使用了 gradle 并解决了 OP 的问题，我也遇到了这个问题，我最终使用了以下工作设置。

dependencies {

    testImplementation(group: 'org.eclipse.persistence', name: 'eclipselink', version: '2.7.4') {
        exclude group: 'javax.validation', module: 'validation-api'
        exclude group: 'org.eclipse.persistence', module: 'javax.persistence'
        exclude group: 'org.eclipse.persistence', module: 'commonj.sdo'
        exclude group: 'org.eclipse.persistence', module: 'jakarta.persistence'
    }

    testImplementation(group: 'org.eclipse.persistence', name: 'org.eclipse.persistence.jpa', version: '2.7.4') {
        exclude group: 'org.eclipse.persistence', module: 'jakarta.persistence'
    }

}

Instead of "testImplementation" you can of course use any dependency type you want or need.

您当然可以使用您想要或需要的任何依赖项类型，而不是“testImplementation”。

After reading Sergey's comment I've improved this by just using:

在阅读了 Sergey 的评论后，我通过使用以下方法对其进行了改进：

dependencies {
    testImplementation group: 'org.eclipse.persistence', name: 'org.eclipse.persistence.jpa', version: '2.7.4'
}

I think the last one is the best solution.

我认为最后一个是最好的解决方案。

Because I could not find an answer for this problem when only using a Tomcat and this thread is often linked with this problem, I am going to post my solution here:

因为我在只使用 Tomcat 时找不到这个问题的答案，并且这个线程经常与这个问题相关联，所以我将在这里发布我的解决方案：

Since the signature is in the MANIFEST.MF you can change the signatures in the .jar files using 7zip or WinRAR to open them or simply delete them from the META-INF files of both .jar's and then import the changed files to your IDE.

由于签名在 MANIFEST.MF 中，您可以使用 7zip 或 WinRAR 更改 .jar 文件中的签名以打开它们，或者简单地从 .jar 的 META-INF 文件中删除它们，然后将更改后的文件导入您的 IDE。

A useful thread for the Signature-Mismatch-Problem is this thread: Java SecurityException: signer information does not match

签名不匹配问题的一个有用线程是这个线程：Java SecurityException：签名者信息不匹配