Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] MD5 hash not as expect for org.eclipse.jetty.jndi 10.0.15

As I mentioned in this email

https://www.eclipse.org/lists/cross-project-issues-dev/msg19723.html

it is already fixed in staging.  You can verify that

https://download.eclipse.org/staging/2023-09/plugins/org.eclipse.jetty.jndi_10.0.15.jar

is not signed

and that it correctly matches the original md5 specified in the artifacts.jar:

$md5sum org.eclipse.jetty.jndi_10.0.15\(4\).jar
785f479c6433717bee8e9bb94df56c11 *org.eclipse.jetty.jndi_10.0.15(4).jar

On 29.08.2023 10:54, Oleksii Korniienko via cross-project-issues-dev wrote:
Hi, I'm working with Ondrej on it.

Is it possible to update it somehow on "https://download.eclipse.org/" ?

Best regards,
Oleksii Korniienko

On Mon, Aug 28, 2023 at 1:28 PM Joakim Erdfelt via cross-project-issues-dev <cross-project-issues-dev@xxxxxxxxxxx> wrote:
Since I'm the one that built Eclipse Jetty 10.0.15, let's see what's going on ...

First, the official release of 10.0.15 ...

The official release does not live on a P2 repository anywhere on download.eclipse.org
The official release exists as a maven (tycho) p2 artifact on maven central.
The official release of the jetty-jndi 10.0.15 artifact has the following verification ...

md5:    785f479c6433717bee8e9bb94df56c11
sha1:   7825525aae7c7e11e7cef57672e43e5e4d727856
sha256: c01a1d2ea0ebac1565f4c8e92d1b5151daf14ac09502efd52f5536a59245cb16


-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEWYm692IXuEPWa+VbLQ4fuP5LaLQFAmQ1mJ8ACgkQLQ4fuP5L
aLQYVQ/+ONbSADgGLnMxDSQ6A/tPo70citQMu4uNw6OE/eSb5kvya4cjRAxpbioD
vwcsDowHab2ydg4f+o9O+UnhKTUGxLFS+zjl42/WUlodgMFLZXf3mRJui19ful6P
pigeCdsasIBSgwu6ptq+ymKFLLwjH3P4jOip3pZkRujO9NsPDmtOX2biVjrK3VrW
6PHDh4ruxU9I2ApSgFjlYhbiYy4twhQiaEIwF5j5x2UUJGNbinRbmHpLe1OYy3AJ
70cpkd7jrRgwZ4r8TarKhUa2DiKncgm9lrDkLgoDrkQapGPxis5NSo0vXy6oyhYb
sCRZZF3MQMk26IDZYLWUAacyl4DuM5M2XwG5Pma2OYM15SLoA0NyVfGFQVUIEEEF
/Z1H5PELcf80VoOgtHPNLBJRM1BTijteFdHGteYju6l0s1Gh1b9LFxDzJ+eYEwFS
jG2IsnmF7hBZJk10a7NXnWAK3NguCQMLSVJ4KlaLMc2rzAGHkiDvAj0h6o/3UuPz
rxl+d5behICgZxRv8DIRmIVdZAe/2SjChIbiFcyVbIgEEBiM9xuHZqsCkPRpKl1a
i5xXmG/K1dsoVzFJAFGeZFf3XV8/rOad0xHxPkAOd2UlxG6ilkqu7uoUOY8eTru0
3l8j2KGUcXqvZ0+GnsQAWD2Ge4PZ+VYc7ba2GWfENNLH1YIy4g4=
=r9xH
-----END PGP SIGNATURE-----


The suspect org.eclipse.jetty.jndi_10.0.15.jar artifact found at https://download.eclipse.org/staging/2023-09/plugins/

Has the following verification (which doesn't match the official release) ...

md5:    8f2d6b1e2acef3285e3a12f62042890c
sha1:   488a1601bae6f4d0357e6a4b4174e1dcfca068af
sha256: 623f2009671f0138495fd659622fd78e3153671a50a1c280aeb2410e9365b455


Digging into the contents of the suspect org.eclipse.jetty.jndi_10.0.15.jar artifact I can see that it's been modified.
It appears that the META-INF/MANIFEST.MF has been modified, now every class has a SHA-256-Digest entry.
There are also a new META-INF/ECLIPSE_.SF and META-INF/ECLIPSE_.RSA entries in the jar file (likely JAR signatures).

The binary comparison of the contents of the official jar vs the eclipse jar shows that only the 3 files mentioned above are different.
META-INF/MANIFEST.MF
META-INF/ECLIPSE_.SF
META-INF/ECLIPSE_.RSA
The rest of the files are identical to the official jetty-jndi 10.0.15 artifact.

I don't understand why Jetty is present anywhere on download.eclipse.org in this molested form, the tycho-p2 information present on maven central for Eclipse Jetty contains all of the validation, verification (3 kinds), and signatures (2 kinds) to satisfy P2 without modifying the original artifacts.  The Jetty Tycho P2 maven repository is how the Eclipse Jetty artifacts are meant to be consumed, not via these transient ancient Eclipse P2 repositories.

The Jetty Tycho P2 information on Maven Central -> https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-p2/11.0.15/

Now, back to your error ...
12:05:07 [ERROR]    Problems downloading artifact: osgi.bundle,org.eclipse.jetty.jndi,10.0.15.:
12:05:07 [ERROR]       MD5 hash is not as expected. Expected: 785f479c6433717bee8e9bb94df56c11 and found 8f2d6b1e2acef3285e3a12f62042890c.

The "Expected" hash value in your error is the official artifact md5 hash value, the "found" hash value in your error is the md5 hash value for the download.eclipse.org artifact.

Of special note ...

Over the past couple of years the Eclipse Jetty project has learned of several projects that provide Supply Chain Auditing for anyone that is concerned about that.
Every official release of Eclipse Jetty gets updated in these various databases.
The process that these Ancient Eclipse P2 Repositories use, where we modify various official artifacts with JAR signatures on every transient build of these P2 repositories, is the reason the ancient Eclipse P2 technique artifacts will never be recognized by any of those supply chain databases as the official release of those artifacts.
Releasing the same artifacts as official releases at a later date, using these ancient Eclipse P2 techniques, is just inviting failed audits (and this isn't limited to Eclipse Jetty, it also includes any 3rd party jar/lib that is modified by this ancient Eclipse P2 technique).

- Joakim


On Mon, Aug 28, 2023 at 5:12 AM Ondrej Dockal via cross-project-issues-dev <cross-project-issues-dev@xxxxxxxxxxx> wrote:
Hey folks,

in RedDeer build [1] we are facing an issue when running the tests with a checksum for org.eclipse.jetty.jndi.

Error message:
12:05:07 [INFO] Fetching org.eclipse.jetty.util_10.0.15.jar from https://download.eclipse.org/staging/2023-09/plugins/ (557.33kB)
12:05:07 [INFO] Fetching org.eclipse.jetty.jndi_10.0.15.jar from https://download.eclipse.org/staging/2023-09/plugins/ (56.39kB)
12:05:07 [ERROR] An error occurred while transferring artifact canonical: osgi.bundle,org.eclipse.jetty.jndi,10.0.15 from repository https://download.eclipse.org/staging/2023-09:
12:05:07 [ERROR]    Problems downloading artifact: osgi.bundle,org.eclipse.jetty.jndi,10.0.15.:
12:05:07 [ERROR]       MD5 hash is not as expected. Expected: 785f479c6433717bee8e9bb94df56c11 and found 8f2d6b1e2acef3285e3a12f62042890c.

Any hints?

Regards,

Ondrej

[1]: https://ci.eclipse.org/reddeer/job/reddeer.verification.parametrized/136/console
--

Ondrej Dockal

Senior Software Quality Engineer, Developer QE

Red Hat Czech, s.r.o.

Purkyňova 111

Brno 612 00, Czech Republic

odockal@xxxxxxxxxx

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

Back to the top