Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Plugin Development Environment (PDE) » Signing the plugin content(Signing the plugin content - Error message "SHA-256 hash is not as expected")
Signing the plugin content [message #1818421] Sun, 15 December 2019 14:49
George Azzam is currently offline George AzzamFriend
Messages: 1
Registered: December 2019
Junior Member
Hello,

I am trying to sign a plugin, we go over all *.JAR file and sign each of them with jarsigner (JDK), all of the *.JAR files are signed OK according to the jarsigner (I run -verify to check that it is OK).
Then we upload all the content to an Amazon S3 folder, and the content of the folder looks like:
features -> (a folder)
plugins -> (a folder)
artifacts.jar
artifacts.xml
artifacts.xml.xz
content.jar
content.xml.xz
p2.index

And then when I try to install this plugin from Eclipse (using "Install New software"), I get this error:

An error occurred while collecting items to be installed
session context was:(profile=epp.package.java, phase=org.eclipse.equinox.internal.p2.engine.phases.Collect, operand=, action=).
Problems downloading artifact: org.eclipse.update.feature,org.whitesource.eclipse.feature,19.11.4.201912151353.
SHA-256 hash is not as expected. Expected: 3593f25c19615c2d681dd245fe8cdbbae3cef76233e0089fa6f81df32a814671 and found 58be674e271deb7dbcabe85b23fac56cdf77a3d9e3e945490c705e63f8852944.
Problems downloading artifact: osgi.bundle,org.whitesource.eclipse.plugin,19.11.4.201912151353.
SHA-256 hash is not as expected. Expected: 75f9982cce84645d31ceb3f50e48dd7656b3f160db8b5b9c214798c578fcfb3a and found 9d790bd3d3f2c210078ea940170a2dd5cd7435c135c9c0918423d89f6f3aff70.


But, when I remove the sign procedure and install the plugin, I get a warning and I can install it and it works OK, so I guess there is no issue in the plugin itself, the issue is in signing the JAR files.

My questions are:
1- Why the SHA-256 are different?
2- Where do the "expected SHA-256" and "found SHA-256" come from?
3- What is the correct way to sign JAR for Eclipse plugins in order to upload it to the Eclipse Marketplace?
4- Can we use our own purchased certificate ? or should we use Eclipse's public certificates?
5- Can we use "http://build.eclipse.org:31338/sign" ?
The description at https://wiki.eclipse.org/JAR_Signing is not very clear on how to sign the plugin.

This is the script that we use to sign the JARs:
# Here should be only 1 file
for file in ./site/features/*.jar; do
jarsigner -verbose -tsa http://timestamp.digicert.com -keystore /keys/keystore.jks -storepass $storepass $file Server
echo "Verify sign"
jarsigner -verify $file
done
#
# Here should be only 1 file
for file in ./site/plugins/*.jar; do
jarsigner -verbose -tsa http://timestamp.digicert.com -keystore /keys/keystore.jks -storepass $storepass $file Server
echo "Verify sign"
jarsigner -verify $file
done
#
jarsigner -verbose -tsa http://timestamp.digicert.com -keystore /keys/keystore.jks -storepass $storepass ./site/artifacts.jar Server
echo "Verify sign - artifacts.jar"
jarsigner -verify ./site/artifacts.jar
#
jarsigner -verbose -tsa http://timestamp.digicert.com -keystore /keys/keystore.jks -storepass $storepass ./site/content.jar Server
echo "Verify sign - content.jar"
jarsigner -verify ./site/content.jar



Previous Topic:Http Whiteboard propertytypes annotation support
Next Topic:TFS extension in Eclipse Plugin Development
Goto Forum:
  


Current Time: Mon Jul 06 13:23:40 GMT 2020

Powered by FUDForum. Page generated in 0.01367 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top