Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jgit-dev] Could jgit be packaged with Bouncy Castle?

On 24/09/2013 00:02, Matthias Sohn wrote:
On Mon, Sep 23, 2013 at 10:30 PM, James Yonan <james@xxxxxxxxxxx
<mailto:james@xxxxxxxxxxx>> wrote:

    PBEWithMD5AndDES is woefully inadequate these days, and getting jgit
    to see a separately installed Bouncy Castle provider is tricky
    without editing system config files.

    It would be great if Bouncy Castle could be packaged into the jgit
    standalone binary.

I need to find time to fix
Which bouncycastle library to you need ? We have an IP approval to use
bcpg-jdk15on and bcprov-jdk15on in version 1.47 but due to bug 391302
they are not yet available in Orbit.

Latest stable would be great. Not too particular, just looking for reasonable strong crypto options such as PBEWITHSHA256AND256BITAES-CBC-BC for using S3 as a backing store.

BTW, is it even possible for an end user to build jgit command line tool + bouncy castle together via maven without any special code signing authority? I attempted it and had all sorts of problems such as:

* java.lang.SecurityException: Invalid signature file digest for Manifest main attributes -- apparently an issue with maven shade plugin interacting badly with BC signature

* Tried excluding the sigs from maven shade plugin with


This fixed the "Invalid signature file digest for Manifest main attributes", however jgit could still not see the BC ciphers.

* The only way I was able to make it work was by linking to BC .jar at runtime. I used this snippet in pom.xml, set JGIT_CLASSPATH, and did Security.addProvider(new BouncyCastleProvider()) in main().


This is okay for now, but still an integrated build would be great that supports BC out of the box.


Back to the top