Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cbi-dev] [cross-project-issues-dev] CBI Maven plugins 1.1.3-SNAPSHOT

 
3. The signing with the Test Server is very slow. It takes around a minute to sign a single jar file. My CPU is not utilized at all. I have no solution for this.

Did you try to do it manually with the jarsigner command? Does it work faster? 

As far as I can see the slow part is the communication to the timestamp server. I guess for me it is significantly slower than for you. I would suggest to have an option for the to switch the signing with timestamp off. Just for the test server.

I've accepted your patch for this one too. Thanks for your contributions.

 
4. I tried using the SHA_1 digest algorithm, but the result is not the same as the JAR being signed with Java 6. I have "SHA-1-Digest" headers in he MANIFEST.MF file instead of "SHA1-Digest". Note the extra dash. So, the installation of these plugins on Eclipse Indigo is still not successful. I did not find a valid configuration for the digestAlgorithm option to get the correct "SHA1-Digest" header. I tried with SHA1, but I got an error that it is not a valid value.

You're right, Java 6 signs with the "SHA1-Digest" while Java 7 and later signs with "SHA-1-Digest". I've seen this difference, but Java 7+ accepts both. Unfortunately, I did not try with Java 6. Could you try to run (Java 6 version of) jarsigner -verify on the plugin with the "SHA-1-Digest" headers and give me the output? Thanks.

Here it is:

/usr/lib/jvm/java-6-openjdk-amd64/bin/jarsigner -verify /home/raev/git/andmore/andmore-core/site/target/repository/plugins/org.eclipse.andmore.android_0.5.0.201512071444.jar
jar verified.

Warning: 
This jar contains entries whose signer certificate will expire within six months. 

Re-run with the -verbose and -certs options for more details.

So it seems that the issue is not Java, the issue with "SHA-1-Digest" is in Equinox only. Do you have a stack trace or error message when you try to install the signed plugin in Indigo? Thanks again.

Cheers,
Mikael

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail


Back to the top