Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] A funny thing happened on the way to Mars.2 -- in Orbit

> > This  will only be relevant to you if you use
> > org.apache.httpcomponents.httpclient
> > and exactly version
> > 4.3.6.v201411290715
> We seem to have it in our Oomph repos. I've checked this:
>      estepper@build:~/oomph/drops/release/1.3.0/plugins> jarsigner -
> verify -certs
> org.apache.httpcomponents.httpclient_4.3.6.v201411290715.jar
>      jar verified.
> So, we're good, right?

Yes, you're good.

And, to clarify, that is the right version to have in your Mars.2 repos (if you use it at all).

But since there is a "bad" one out there (in Orbit, at least) with the same version, I was suggesting to verify if it was in your project repositories to make sure you had the good one.

If it is the good one, you get "jar verified" as above.

If it is "the bad one" it will be pretty obvious:

$ jarsigner -verify org.apache.httpcomponents.httpclient_4.3.6.v201411290715.jar
jarsigner: java.lang.SecurityException: SHA1 digest error for org/apache/http/client/cache/HttpCacheEntry.class

And, FYI, the code has not been "tampered with" in any "bad" way. It is just that since it is not signed correctly so p2 and others will not install it.


Back to the top