[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] More on signing, packing, and Java 7 ...

I think you are right, the issue is limited to artifacts with nested
jars. Sorry about the noise.

--
Regards,
Igor

On 12-05-26 7:39 PM, David M Williams wrote:
 > I believe these expired certificates cause P2 to download both pack.gz
 > and jar flavours of the same artifact

This would be important to know, if confirmed.

Since you mentioned "Java 7", I will point out there is a known issue
with Java 7 and bundles that have "nested jars" that will cause dual
downloads.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=361628

It has nothing to do with "expired certificates" but with a subtle
change in Java 7 such that nested jars cannot be unpacked with Java 7.
No "general solution" has been found, but it is expected to cause more
"dual downloads" of pack.gz files plus then the jar file (once it is
discovered the pack.gz file can not be correctly unpacked),
when Java 7 is being used.

On the Java 7 pack.gz issue: While it is recommended that no one have
nested jars in the first place :) if you must (and, there are some
legitimate cases), it is recommended (for most cases) that the bundle
provider addan eclipse.inf file to the META-INF directory, and in it
specify
jarprocessor.exclude.children
See _http://wiki.eclipse.org/JarProcessor_Options_

But, back to expired certificate, if you confirm the expired certificate
causes this dual download (independent of nested jars) it would be worth
a cross-project bug, where we could discuss what to do about it, if
anything.

Thanks,




Inactive hide details for Igor Fedorenko ---05/26/2012 06:30:42 PM---I believe these expired certificates cause P2 to download Igor Fedorenko ---05/26/2012 06:30:42 PM---I believe these expired certificates cause P2 to download both pack.gz and jar flavours of the same

From: Igor Fedorenko <ifedorenko@xxxxxxxxxxxx>
To: cross-project-issues-dev@xxxxxxxxxxx,
Date: 05/26/2012 06:30 PM
Subject: Re: [cross-project-issues-dev] Yet another nag note ... and, I
mean it this time!
Sent by: cross-project-issues-dev-bounces@xxxxxxxxxxx

------------------------------------------------------------------------



I believe these expired certificates cause P2 to download both pack.gz
and jar flavours of the same artifact when Eclipse is running on SUN
Java 7. At least this is the behaviour I see with Juno M7 P2 runtime
included with Tycho. Don't know if newer P2 behaves differently or if
the problem is limited to Tycho.

--
Regards,
Igor

On 12-05-24 10:27 AM, Denis Roy wrote:
 > On 05/24/2012 06:30 AM, Stephan Herrmann wrote:
 >> On 05/24/2012 06:40 AM, David M Williams wrote:
 >>> Look at these reports:
 >>>
 >>> http://build.eclipse.org/juno/simrel/reporeports/
 >>
 >> Looking at verified.txt I see lots of
 >> "jar verified. Warning: This jar contains entries whose signer
 >> certificate has expired. Re-run with the -verbose and -certs options
 >> for more details."
 >>
 >> It seems to fix this we'd have to re-build and sign ALL jars that
 >> have been signed before the switch to the new certificate and never
 >> changed since?
 >
 > Technically, you don't need to rebuild and resign your jars. It's just
 > a warning that the certificate used is now expired, but the signature is
 > perfectly valid.
 >
 > If you absolutely want to eliminate the warning, just re-sign the jars
 > with the new cert. No need to rebuild them.
 >
 > Denis
 > _______________________________________________
 > cross-project-issues-dev mailing list
 > cross-project-issues-dev@xxxxxxxxxxx
 > https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev




_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@xxxxxxxxxxx https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev