[cross-project-issues-dev] ACTION REQUIRED: Houston We Have a Problem
Recent versions of Java, including the most recent Java 17
release, now consider some jar-signed bundles to be unsigned.
This affects all bundles and features signed between January 1,
2019 and April 14, 2022 with the Eclipse certificate available at
This is a very long list with many affected projects:
The Platform has resigned their problematic bundles already:
Orbit too has resigned the problematic bundles:
But the Orbit repo with the resigned bundles is NOT the
one used by the Platform for their M3 contribution and is not the
one you/we should be using for M3 which is this one:
These projects need to do new builds:
You should ensure that the qualifiers
of your bundles and features are newer than 2021-04,
so that you don't have two the "same artifacts" but with different
signatures, which is especially important if you are doing
baseline replacement in your build. I can help test your
repository if you need help. Please reach out to me.
Everyone needs to ensure that
they consume from the next RC1 version of Orbit,
otherwise we are likely to end up with massive duplicate Orbit
bundles and that is likely to cause problems.
I hope someone from Mylyn is paying attention!
Meanwhile, I'm trying to enable PGP signing of the bundles and
features with this poor certificates to "repair" them. But,
Tycho does appear to detect that a signature will be ignored,
provides no way to specify how to treat artifacts that already
have a PGP signature (it actually produces duplicate properties in
the artifacts.xml), and it appears the PGP signatures for features
are invalid, so I'm not sure I'll be 100% successful in finding a
workaround. The following might be the best I can do on your
behalf unless the PGP feature signing issue is fixed:
Note that in this scenario, I am adding the sim-bot PGP
key/signature in addition to the key/signature already present
from the project. So all PGP-signed bundles will generally have
two PGP signatures, and in this exceptional case, the bundle is
jar-signed and has two PGP signatures:
With PGP-signed features, p2 fails to validate them making them
impossible to download/install, so in this case the cure is worse
than the disease:
Perhaps this issue can be fixed in the coming days...