Skip to main content


Eclipse Community Forums

      Home
Home » Archived » Buckminster » Questions about signing
Questions about signing [message #1696238] Sun, 24 May 2015 06:14 Go to next message
Eclipse UserFriend
Hi guys,

I have two questions relating the signing process:

1. After I created a new certificate and enabled the site.signing property, building a feature repository in CI broke: the site.repacked and site.sign actions seem to work, but the site.packed action aborts with the following problem:
java.lang.SecurityException: invalid SHA1 signature file digest for plugin.xml
Caused by: java.lang.SecurityException: invalid SHA1 signature file digest for plugin.xml
    at sun.security.util.SignatureFileVerifier.verifySection(SignatureFileVerifier.java:499)
    at sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:295)
    at sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:238)
    at java.util.jar.JarVerifier.processEntry(JarVerifier.java:316)
    at java.util.jar.JarVerifier.update(JarVerifier.java:228)
    at java.util.jar.JarFile.initializeVerifier(JarFile.java:383)
    at java.util.jar.JarFile.getInputStream(JarFile.java:450)
    at com.sun.java.util.jar.pack.PackerImpl$DoPack$InFile.getInputStream(PackerImpl.java:384)
    at com.sun.java.util.jar.pack.PackerImpl$DoPack.run(PackerImpl.java:472)
    at com.sun.java.util.jar.pack.PackerImpl.pack(PackerImpl.java:98)
    at org.eclipse.buckminster.jarprocessor.RecursivePack200.pack(RecursivePack200.java:189)
    at org.eclipse.buckminster.jarprocessor.RecursivePacker.pack(RecursivePacker.java:86)
    at org.eclipse.buckminster.jarprocessor.JarProcessorActor.packJars(JarProcessorActor.java:120)
    at org.eclipse.buckminster.jarprocessor.JarProcessorActor.packJars(JarProcessorActor.java:110)
    at org.eclipse.buckminster.jarprocessor.JarProcessorActor.internalPerform(JarProcessorActor.java:84)

Any idea what this could cause? How can I track this down (debug output did not reveal further details)?
My Jenkins is running Java 8, could this be related?


2. The build structure consists of multiple Jenkins jobs building p2 repositories for certain features. A subsequent job builds two products utilising these repositories. Is it possible/recommended to have all repositories signed or should only the last job building the products perform the signing?


Axel
Re: Questions about signing [message #1696247 is a reply to message #1696238] Sun, 24 May 2015 08:30 Go to previous messageGo to next message
Eclipse UserFriend
Hi

Similar problems have occurred with the main Eclipse Simultaneous Release.

Various 'crimes' contribute
- do not attempt to re-sign already signed artefacts
- do not use a Java 7/8 unpack200/signer for artefacts using a Java 5/6
pack200.

Regards

Ed Willink




On 24/05/2015 11:14, Axel Guckelsberger wrote:
> Hi guys,
>
> I have two questions relating the signing process:
>
> 1. After I created a new certificate and enabled the site.signing
> property, building a feature repository in CI broke: the site.repacked
> and site.sign actions seem to work, but the site.packed action aborts
> with the following problem:
>
> java.lang.SecurityException: invalid SHA1 signature file digest for
> plugin.xml
> Caused by: java.lang.SecurityException: invalid SHA1 signature file
> digest for plugin.xml
> at
> sun.security.util.SignatureFileVerifier.verifySection(SignatureFileVerifier.java:499)
> at
> sun.security.util.SignatureFileVerifier.processImpl(SignatureFileVerifier.java:295)
> at
> sun.security.util.SignatureFileVerifier.process(SignatureFileVerifier.java:238)
> at java.util.jar.JarVerifier.processEntry(JarVerifier.java:316)
> at java.util.jar.JarVerifier.update(JarVerifier.java:228)
> at java.util.jar.JarFile.initializeVerifier(JarFile.java:383)
> at java.util.jar.JarFile.getInputStream(JarFile.java:450)
> at
> com.sun.java.util.jar.pack.PackerImpl$DoPack$InFile.getInputStream(PackerImpl.java:384)
> at
> com.sun.java.util.jar.pack.PackerImpl$DoPack.run(PackerImpl.java:472)
> at com.sun.java.util.jar.pack.PackerImpl.pack(PackerImpl.java:98)
> at
> org.eclipse.buckminster.jarprocessor.RecursivePack200.pack(RecursivePack200.java:189)
> at
> org.eclipse.buckminster.jarprocessor.RecursivePacker.pack(RecursivePacker.java:86)
> at
> org.eclipse.buckminster.jarprocessor.JarProcessorActor.packJars(JarProcessorActor.java:120)
> at
> org.eclipse.buckminster.jarprocessor.JarProcessorActor.packJars(JarProcessorActor.java:110)
> at
> org.eclipse.buckminster.jarprocessor.JarProcessorActor.internalPerform(JarProcessorActor.java:84)
>
> Any idea what this could cause? How can I track this down (debug
> output did not reveal further details)?
> My Jenkins is running Java 8, could this be related?
>
>
> 2. The build structure consists of multiple Jenkins jobs building p2
> repositories for certain features. A subsequent job builds two
> products utilising these repositories. Is it possible/recommended to
> have all repositories signed or should only the last job building the
> products perform the signing?
>
>
> Axel
>
Re: Questions about signing [message #1696285 is a reply to message #1696247] Mon, 25 May 2015 05:27 Go to previous messageGo to next message
Eclipse UserFriend
Hi Ed,

thanks for these hints. I am not sure though how to take any influence on that using Buckminster. Do you know?

Another feature job fails like this:
java.lang.SecurityException: invalid SHA1 signature file digest for org/apache/commons/logging/LogSource.class


Regards,
Axel
Re: Questions about signing [message #1696288 is a reply to message #1696285] Mon, 25 May 2015 05:48 Go to previous messageGo to next message
Eclipse UserFriend
Hi

Yes, it's hard. The Eclipse Foundation signer was modified to no re-sign
resolving a long-standing bug. There is a fudge whereby documents with
javax in the path are signed by javax,.

Obstinate plugins use Eclipse.ing to disable packing.

But unless you are the org/apache/commons/logging releng, it looks as if
your problem is re-signing so don't. Easier to just use the Orbit version.

Regards

Ed Willink


On 25/05/2015 10:27, Axel Guckelsberger wrote:
> Hi Ed,
>
> thanks for these hints. I am not sure though how to take any influence
> on that using Buckminster. Do you know?
>
> Another feature job fails like this:
>
> java.lang.SecurityException: invalid SHA1 signature file digest for
> org/apache/commons/logging/LogSource.class
>
>
> Regards,
> Axel
Re: Questions about signing [message #1696303 is a reply to message #1696288] Mon, 25 May 2015 07:28 Go to previous message
Eclipse UserFriend
Hi Ed,

maybe it is reasonable to do something like described here?
https://www.eclipse.org/forums/index.php?t=msg&th=200299&goto=649152&#msg_649152

Providing a custom signing action which performs the actual signing only for own bundles.

Thanks for your advice,
Axel
Previous Topic:No suitable provider for component org.eclipse.license:eclipse.feature
Next Topic:Issues with p2.inf for a product file that lies next to a feature.xml file
Goto Forum:
  


Current Time: Sat Apr 19 15:05:24 EDT 2025

Powered by FUDForum. Page generated in 0.03759 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top

Sign up to our Newsletter

A fresh new issue delivered monthly