Since I'm the one that built Eclipse Jetty
10.0.15, let's see what's going on ...
First, the official release of 10.0.15 ...
The official release exists as a maven (tycho) p2
artifact on maven central.
The official release of the jetty-jndi 10.0.15 artifact
has the following verification ...
md5:
785f479c6433717bee8e9bb94df56c11
sha1: 7825525aae7c7e11e7cef57672e43e5e4d727856
sha256:
c01a1d2ea0ebac1565f4c8e92d1b5151daf14ac09502efd52f5536a59245cb16
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEWYm692IXuEPWa+VbLQ4fuP5LaLQFAmQ1mJ8ACgkQLQ4fuP5L
aLQYVQ/+ONbSADgGLnMxDSQ6A/tPo70citQMu4uNw6OE/eSb5kvya4cjRAxpbioD
vwcsDowHab2ydg4f+o9O+UnhKTUGxLFS+zjl42/WUlodgMFLZXf3mRJui19ful6P
pigeCdsasIBSgwu6ptq+ymKFLLwjH3P4jOip3pZkRujO9NsPDmtOX2biVjrK3VrW
6PHDh4ruxU9I2ApSgFjlYhbiYy4twhQiaEIwF5j5x2UUJGNbinRbmHpLe1OYy3AJ
70cpkd7jrRgwZ4r8TarKhUa2DiKncgm9lrDkLgoDrkQapGPxis5NSo0vXy6oyhYb
sCRZZF3MQMk26IDZYLWUAacyl4DuM5M2XwG5Pma2OYM15SLoA0NyVfGFQVUIEEEF
/Z1H5PELcf80VoOgtHPNLBJRM1BTijteFdHGteYju6l0s1Gh1b9LFxDzJ+eYEwFS
jG2IsnmF7hBZJk10a7NXnWAK3NguCQMLSVJ4KlaLMc2rzAGHkiDvAj0h6o/3UuPz
rxl+d5behICgZxRv8DIRmIVdZAe/2SjChIbiFcyVbIgEEBiM9xuHZqsCkPRpKl1a
i5xXmG/K1dsoVzFJAFGeZFf3XV8/rOad0xHxPkAOd2UlxG6ilkqu7uoUOY8eTru0
3l8j2KGUcXqvZ0+GnsQAWD2Ge4PZ+VYc7ba2GWfENNLH1YIy4g4=
=r9xH
-----END PGP SIGNATURE-----
Has the following verification (which doesn't match the
official release) ...
md5:
8f2d6b1e2acef3285e3a12f62042890c
sha1: 488a1601bae6f4d0357e6a4b4174e1dcfca068af
sha256:
623f2009671f0138495fd659622fd78e3153671a50a1c280aeb2410e9365b455
Digging into the contents of the suspect
org.eclipse.jetty.jndi_10.0.15.jar artifact I can see that
it's been modified.
It appears that the META-INF/MANIFEST.MF has been
modified, now every class has a SHA-256-Digest entry.
There are also a new META-INF/ECLIPSE_.SF and
META-INF/ECLIPSE_.RSA entries in the jar file (likely JAR
signatures).
The binary comparison of the contents of the official
jar vs the eclipse jar shows that only the 3 files
mentioned above are different.
META-INF/MANIFEST.MF
META-INF/ECLIPSE_.SF
META-INF/ECLIPSE_.RSA
The rest of the files are identical to the official
jetty-jndi 10.0.15 artifact.
I don't understand why Jetty is present anywhere on
download.eclipse.org in this
molested form, the tycho-p2 information present on maven
central for Eclipse Jetty contains all of the validation,
verification (3 kinds), and signatures (2 kinds) to
satisfy P2 without modifying the original artifacts. The
Jetty Tycho P2 maven repository is how the Eclipse Jetty
artifacts are meant to be consumed, not via these
transient ancient Eclipse P2 repositories.
Now, back to your error ...
12:05:07 [ERROR] Problems downloading artifact:
osgi.bundle,org.eclipse.jetty.jndi,
10.0.15.:
12:05:07 [ERROR] MD5 hash is not as expected.
Expected: 785f479c6433717bee8e9bb94df56c11 and found
8f2d6b1e2acef3285e3a12f62042890c.
The "Expected" hash value in your error is the official
artifact md5 hash value, the "found" hash value in your
error is the md5 hash value for the
download.eclipse.org
artifact.
Of special note ...
Over the past couple of years the Eclipse Jetty project
has learned of several projects that provide Supply Chain
Auditing for anyone that is concerned about that.
Every official release of Eclipse Jetty gets updated in
these various databases.
The process that these Ancient Eclipse P2 Repositories
use, where we modify various official artifacts with JAR
signatures on every transient build of these P2
repositories, is the reason the ancient Eclipse P2
technique artifacts will never be recognized by any of
those supply chain databases as the official release of
those artifacts.
Releasing the same artifacts as official releases at a
later date, using these ancient Eclipse P2 techniques, is
just inviting failed audits (and this isn't limited to
Eclipse Jetty, it also includes any 3rd party jar/lib that
is modified by this ancient Eclipse P2 technique).
- Joakim