Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] MD5 hash not as expect for org.eclipse.jetty.jndi 10.0.15

Since I'm the one that built Eclipse Jetty 10.0.15, let's see what's going on ...

First, the official release of 10.0.15 ...

The official release does not live on a P2 repository anywhere on
The official release exists as a maven (tycho) p2 artifact on maven central.
The official release of the jetty-jndi 10.0.15 artifact has the following verification ...

md5:    785f479c6433717bee8e9bb94df56c11
sha1:   7825525aae7c7e11e7cef57672e43e5e4d727856
sha256: c01a1d2ea0ebac1565f4c8e92d1b5151daf14ac09502efd52f5536a59245cb16



The suspect org.eclipse.jetty.jndi_10.0.15.jar artifact found at

Has the following verification (which doesn't match the official release) ...

md5:    8f2d6b1e2acef3285e3a12f62042890c
sha1:   488a1601bae6f4d0357e6a4b4174e1dcfca068af
sha256: 623f2009671f0138495fd659622fd78e3153671a50a1c280aeb2410e9365b455

Digging into the contents of the suspect org.eclipse.jetty.jndi_10.0.15.jar artifact I can see that it's been modified.
It appears that the META-INF/MANIFEST.MF has been modified, now every class has a SHA-256-Digest entry.
There are also a new META-INF/ECLIPSE_.SF and META-INF/ECLIPSE_.RSA entries in the jar file (likely JAR signatures).

The binary comparison of the contents of the official jar vs the eclipse jar shows that only the 3 files mentioned above are different.
The rest of the files are identical to the official jetty-jndi 10.0.15 artifact.

I don't understand why Jetty is present anywhere on in this molested form, the tycho-p2 information present on maven central for Eclipse Jetty contains all of the validation, verification (3 kinds), and signatures (2 kinds) to satisfy P2 without modifying the original artifacts.  The Jetty Tycho P2 maven repository is how the Eclipse Jetty artifacts are meant to be consumed, not via these transient ancient Eclipse P2 repositories.

The Jetty Tycho P2 information on Maven Central ->

Now, back to your error ...
12:05:07 [ERROR]    Problems downloading artifact: osgi.bundle,org.eclipse.jetty.jndi,10.0.15.:
12:05:07 [ERROR]       MD5 hash is not as expected. Expected: 785f479c6433717bee8e9bb94df56c11 and found 8f2d6b1e2acef3285e3a12f62042890c.

The "Expected" hash value in your error is the official artifact md5 hash value, the "found" hash value in your error is the md5 hash value for the artifact.

Of special note ...

Over the past couple of years the Eclipse Jetty project has learned of several projects that provide Supply Chain Auditing for anyone that is concerned about that.
Every official release of Eclipse Jetty gets updated in these various databases.
The process that these Ancient Eclipse P2 Repositories use, where we modify various official artifacts with JAR signatures on every transient build of these P2 repositories, is the reason the ancient Eclipse P2 technique artifacts will never be recognized by any of those supply chain databases as the official release of those artifacts.
Releasing the same artifacts as official releases at a later date, using these ancient Eclipse P2 techniques, is just inviting failed audits (and this isn't limited to Eclipse Jetty, it also includes any 3rd party jar/lib that is modified by this ancient Eclipse P2 technique).

- Joakim

On Mon, Aug 28, 2023 at 5:12 AM Ondrej Dockal via cross-project-issues-dev <cross-project-issues-dev@xxxxxxxxxxx> wrote:
Hey folks,

in RedDeer build [1] we are facing an issue when running the tests with a checksum for org.eclipse.jetty.jndi.

Error message:
12:05:07 [INFO] Fetching org.eclipse.jetty.util_10.0.15.jar from (557.33kB)
12:05:07 [INFO] Fetching org.eclipse.jetty.jndi_10.0.15.jar from (56.39kB)
12:05:07 [ERROR] An error occurred while transferring artifact canonical: osgi.bundle,org.eclipse.jetty.jndi,10.0.15 from repository
12:05:07 [ERROR]    Problems downloading artifact: osgi.bundle,org.eclipse.jetty.jndi,10.0.15.:
12:05:07 [ERROR]       MD5 hash is not as expected. Expected: 785f479c6433717bee8e9bb94df56c11 and found 8f2d6b1e2acef3285e3a12f62042890c.

Any hints?




Ondrej Dockal

Senior Software Quality Engineer, Developer QE

Red Hat Czech, s.r.o.

Purkyňova 111

Brno 612 00, Czech Republic


cross-project-issues-dev mailing list
To unsubscribe from this list, visit

Back to the top