If anyone else wants such tests, please ask me via direct email
to avoid so much traffic on this list. And thanks to
those of you who have already taken action and have asked for help
directly!
Recent versions of Java, including the most recent Java 17
release, now consider some jar-signed bundles to be unsigned.
This affects all bundles and features signed between January
1, 2019 and April 14, 2022 with the Eclipse certificate
available at that time.
This is a very long list with many affected
projects:
But the Orbit repo with the resigned bundles is NOT the
one used by the Platform for their M3 contribution and is not
the one you/we should be using for M3 which is this one:
You should ensure that the
qualifiers of your bundles and features are newer than
2021-04, so that you don't have two the "same
artifacts" but with different signatures, which is especially
important if you are doing baseline replacement in your
build. I can help test your repository if you need help.
Please reach out to me.
Everyone needs to ensure
that they consume from the next RC1 version of Orbit,
otherwise we are likely to end up with massive duplicate Orbit
bundles and that is likely to cause problems.
Meanwhile, I'm trying to enable PGP signing of the bundles
and features with this poor certificates to "repair" them.
But, Tycho does appear to detect that a signature will be
ignored, provides no way to specify how to treat artifacts
that already have a PGP signature (it actually produces
duplicate properties in the artifacts.xml), and it appears the
PGP signatures for features are invalid, so I'm not sure I'll
be 100% successful in finding a workaround. The following
might be the best I can do on your behalf unless the PGP
feature signing issue is fixed:
Note that in this scenario, I am adding the sim-bot
PGP key/signature in addition to the key/signature already
present from the project. So all PGP-signed bundles will
generally have two PGP signatures, and in this exceptional
case, the bundle is jar-signed and has two PGP signatures: