Home » Eclipse Projects » Plugin Development Environment (PDE) » Prevent PDE Build from re-signing 'foreign' bundles?
| |
Re: Prevent PDE Build from re-signing 'foreign' bundles? [message #666908 is a reply to message #666885] |
Sun, 24 April 2011 08:36 |
David Williams Messages: 176 Registered: July 2009 |
Senior Member |
|
|
On 04/23/2011 04:08 PM, Volker Wegert wrote:
> Hello everyone,
>
> with the very helpful article and hints of Paul Webster I've managed to
> bring my headless PDE build to yet another problem. The p2.director
> complained that my own bundles weren't signed, so I added a keystore and
> the options necessary to sign my bundles to the build.properties.
> Problem: Now the headless build attempts to re-sign all bundles,
> including the dependencies I mirrored from eclipse.org and other
> repositoried. After that, I run into the error message that is reported
> in bug #255518, but I suspect the root cause is that something goes
> wrong when the build process attemtpts to re-sign bundles that were
> perfectly well signed in the first place. I have found some references
> to this problem, but no obvious solution. Does anyone know how to stop
> this?
Sounds like you've already gotten past this particular problem, but
normally, you can exclude jars from being signed by using a
pack.properties file (and, there, it is a little tricky to get the exact
path and name exactly right. See
http://wiki.eclipse.org/JarProcessor_Options
But also ... it is (normally) fine to re-sign a jar that has already
been signed. By design ... sometimes you want more than one signature;
for example, might be signed by Eclipse.org, then "Company A" might sign
it to say not only did it come from Eclipse, but also from Company A's
distribution. If you sign twice with same certificate, such as twice
from Eclipse ... then its sort of a "no op" ... but should be fine.
A larger problem though is trying to re-condition a jar that has already
been signed. The normal work flow of conditioning/signing at Eclipse.org
avoids this by inserting information into the eclipse.inf file (such as,
if already has been conditioned) but as you can imagine,
it is not bullet proof, which is why its a good idea to use
pack.properties even if you might not have to in all cases.
HTH
|
|
|
Re: Prevent PDE Build from re-signing 'foreign' bundles? [message #666911 is a reply to message #666908] |
Sun, 24 April 2011 09:06 |
Volker Wegert Messages: 182 Registered: July 2009 |
Senior Member |
|
|
Am 24.04.11 10:36, schrieb David Williams:
> On 04/23/2011 04:08 PM, Volker Wegert wrote:
>> with the very helpful article and hints of Paul Webster I've managed to
>> bring my headless PDE build to yet another problem. The p2.director
>> complained that my own bundles weren't signed, so I added a keystore and
>> the options necessary to sign my bundles to the build.properties.
>> Problem: Now the headless build attempts to re-sign all bundles,
>> including the dependencies I mirrored from eclipse.org and other
>> repositoried. After that, I run into the error message that is reported
>> in bug #255518, but I suspect the root cause is that something goes
>> wrong when the build process attemtpts to re-sign bundles that were
>> perfectly well signed in the first place. I have found some references
>> to this problem, but no obvious solution. Does anyone know how to stop
>> this?
>
> Sounds like you've already gotten past this particular problem,
Yes, with a more or less crude hack. Is there some place in the Eclipse
Wiki where I could document this?
> normally, you can exclude jars from being signed by using a
> pack.properties file (and, there, it is a little tricky to get the exact
> path and name exactly right. See
>
> http://wiki.eclipse.org/JarProcessor_Options
That page is a bit terse - I already found out about it yesterday, but I
haven't found a working example.
> But also ... it is (normally) fine to re-sign a jar that has already
> been signed. By design ... sometimes you want more than one signature;
> for example, might be signed by Eclipse.org, then "Company A" might sign
> it to say not only did it come from Eclipse, but also from Company A's
> distribution. If you sign twice with same certificate, such as twice
> from Eclipse ... then its sort of a "no op" ... but should be fine.
I understand the intent, but I'm unsure if that's a sensible default
setting. It takes forever to re-sign the "default" bundles.
The real problem seems to be that some files are somehow damaged in the
process so that I get the error messages mentioned in the bug report.
Unfortunately I'm working on an internal project, so I can't add that
information to the bug. I'll see whether I can find the time to create a
separate demonstration project...
Volker
--
* Volker Wegert * http://www.volker-wegert.de/contact *
|
|
|
Re: Prevent PDE Build from re-signing 'foreign' bundles? [message #666941 is a reply to message #666897] |
Sun, 24 April 2011 20:29 |
Volker Wegert Messages: 182 Registered: July 2009 |
Senior Member |
|
|
Am 23.04.11 23:44, schrieb Volker Wegert:
> Am 23.04.11 22:08, schrieb Volker Wegert:
>> with the very helpful article and hints of Paul Webster I've managed to
>> bring my headless PDE build to yet another problem. The p2.director
>> complained that my own bundles weren't signed, so I added a keystore and
>> the options necessary to sign my bundles to the build.properties.
>> Problem: Now the headless build attempts to re-sign all bundles,
>> including the dependencies I mirrored from eclipse.org and other
>> repositoried. After that, I run into the error message that is reported
>> in bug #255518, but I suspect the root cause is that something goes
>> wrong when the build process attemtpts to re-sign bundles that were
>> perfectly well signed in the first place. I have found some references
>> to this problem, but no obvious solution. Does anyone know how to stop
>> this?
>
> ...I've found a kind of workaround now (switching off global signing and
> signing myself in the customAssembly.xml), and I've run into the next
> issue: The p2.director does not seem to like my certificate (signed by
> my own CA). Is there a way to tell the director to trust an additional CA?
JFTR: This was no issue with my custom self-signed certificate. This
occurred on a Debian box with OpenJDK installed. The error message was
One or more certificates rejected. Cannot proceed with installation.
The reason for this can be found buried inside the OpenJDK web site:
"The cacerts file shipped with OpenJDK is initially empty."
Without any root CA certificates, the builder is unable to verify the
pre-signed default Eclipse bundles and bails out. Remove OpenJDK,
install Sun/Oracle-JDK, go.
Hopefully this will prevent someone from running into the same trap.
Volker
--
* Volker Wegert * http://www.volker-wegert.de/contact *
|
|
| | |
Goto Forum:
Current Time: Thu Sep 26 13:25:04 GMT 2024
Powered by FUDForum. Page generated in 0.04182 seconds
|