Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Problems with signed jars on deployed p2 repositories

It looks like you are running into this:

It's a disabled algorithm and potentially also a too short key.


Gunnar Wagenknecht

> On Apr 10, 2018, at 06:35, Karsten Thoms <karsten.thoms@xxxxxxxxx> wrote:
> We are facing problems with signed jars in Xtext repositories [1] that fail the jarsigner's verification. The problem was initially reported in bug#533359 [2]. Initially it seemed that a specific Orbit library, org.antlr.runtime, was affected, but running
>    jarsigner -verify -strict
> on Xtext’s whole composite repository, and there are multiple other jars suffering the same problem. I created a job on Xtext’s JIPP that lists result of jarsigner: [3]
> With additional verbosity of jarsigner’s output the following entries are printed (full text in [1], comment#20)
>       [certificate is valid from 1/29/96 1:00 AM to 8/2/28 1:59 AM]
>       [CertPath not validated: Algorithm constraints check failed: MD2withRSA]
> So how can this be? I’m not familiar with the details behind.
> And how could this be fixed? Do we have to sign again all jars? How do we come to valid repositories again?
> Do other projects have similar problems?
> Kind regards,
> ~Karsten
> [1] 
> [2] 
> [3]
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit

Back to the top