If you approve a signature with  scriptApproval.approveSignature that does not have a correct prefix, the invalid signature will make it to the scriptApprovals.xml and cause future approvals to throw IOException.

Not 100% sure but I think that there might be other ways malformed signatures can poison the configuration..

The work-around I have implemented is to remove all approvals not having the correct prefix

Set cleanSignatures(List<String> signatures, String source) {
  def ValidPrefixes = 'field |staticField |method |staticMethod |new ' 
  Set uniqueResults = []
  signatures.each { signature ->
    if (signature.matches("^(${ValidPrefixes}).*\$"))

{       uniqueResults.add(signature)     }

else {
      println "WARN: signature ${signature} from ${source} did not contain a valid prefix        ${ValidPrefixes} signature skipped"
    }
 }
return (uniqueResults)
}

 

When all signatures are "clean" I can load them with the 

scriptApproval.setApprovedSignatures(allSignatures as String[])

operation.

The approveSignature method should probably have some sanity check, ensuring prefixes 'field |staticField |method |staticMethod |new ' and throw some InvalidSignatureException if not valid instead of accepting it and create problems for further operations.