Re: [cross-project-issues-dev] ACTION REQUIRED: Houston We Have a Problem
I think what you describe with Tycho adding two PGP signatures is whats
described here .
If you think this could help here, please describe steps to reproduce
there and I can take a look to provide a patch for that and probably
even a backport if required.
Am 14.11.22 um 13:43 schrieb Ed Merks:
Recent versions of Java, including the most recent Java 17 release, now
consider some jar-signed bundles to be unsigned. This affects all
bundles and features signed between January 1, 2019 and April 14, 2022
with the Eclipse certificate available at that time.
This is a *very *long list with many affected projects:
The Platform has resigned their problematic bundles already:
Orbit too has resigned the problematic bundles:
But the Orbit repo with the resigned bundles is *NOT *the one used by
the Platform for their M3 contribution and is not the one you/we should
be using for M3 which is this one:
*These projects need to do new builds*:
You should *ensure that the qualifiers of your bundles and features are
newer than 2021-04*, so that you don't have two the "same artifacts" but
with different signatures, which is especially important if you are
doing baseline replacement in your build. I can help test your
repository if you need help. Please reach out to me.
*Everyone **needs to ensure that they consume from the next RC1 version
of Orbit*, otherwise we are likely to end up with massive duplicate
Orbit bundles and that is likely to cause problems.
I hope someone from Mylyn is paying attention!
Meanwhile, I'm trying to enable PGP signing of the bundles and features
with this poor certificates to "repair" them. But, Tycho does appear
to detect that a signature will be ignored, provides no way to specify
how to treat artifacts that already have a PGP signature (it actually
produces duplicate properties in the artifacts.xml), and it appears the
PGP signatures for features are invalid, so I'm not sure I'll be 100%
successful in finding a workaround. The following might be the best I
can do on your behalf unless the PGP feature signing issue is fixed:
Note that in this scenario, I am *adding *the sim-bot PGP key/signature
in addition to the key/signature already present from the project. So
all PGP-signed bundles will generally have two PGP signatures, and in
this exceptional case, the bundle is jar-signed and has two PGP signatures:
With PGP-signed features, p2 fails to validate them making them
impossible to download/install, so in this case the cure is worse than
Perhaps this issue can be fixed in the coming days...
cross-project-issues-dev mailing list
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev