Re: [orbit-dev] pack200:normalize cannot be called for signed jar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [orbit-dev] pack200:normalize cannot be called for signed jar

From: Gunnar Wagenknecht <gunnar@xxxxxxxxxxxxxxx>
Date: Thu, 10 Nov 2016 08:31:07 +0100
Delivered-to: orbit-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/orbit-dev>
List-help: <mailto:orbit-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/orbit-dev>, <mailto:orbit-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/orbit-dev>, <mailto:orbit-dev-request@eclipse.org?subject=unsubscribe>

Yes, Markus is right. This is specifically the reason why signing is not enable for Gerrit jobs. It also causes unnecessary load on the signing service.

-Gunnar

--
Gunnar Wagenknecht
gunnar@xxxxxxxxxxxxxxx, http://guw.io/

On 10 Nov 2016, at 08:28, Markus Knauer <mknauer@xxxxxxxxxxxxxxxxx> wrote:

I would be extremely careful in that case. Usually my advice is *not* to enable signing on any Gerrit verification job, and I explicitly disable this in all my own job definitions.

Those builds are triggered by Gerrit, and everyone with push permissions to Gerrit (easy to achieve) can push and trigger new builds with unchecked content from the Gerrit change. Those builds are creating build artifacts that are signed with an Eclipse Foundation certificate then, and in my opinion it is not advisable to open that to nearly everyone. Just my thoughts.

Regards,
Markus

On 10 November 2016 at 00:02, Evgeny Mandrikov <mandrikov@xxxxxxxxx> wrote:
Thank you for addition of "-Peclipse-sign".
And problem solved by exclusion of original META-INF/MANIFEST.MF

On Wed, Nov 9, 2016 at 11:23 PM Evgeny Mandrikov <mandrikov@xxxxxxxxx> wrote:
On Wed, Nov 9, 2016 at 10:51 PM Roland Grunberg <rgrunber@xxxxxxxxxx> wrote:
It shouldn't be a problem to add -Peclipse-sign as part of the gerrit
build as well. I can try adding just that for the sake of being as
similar to the actual build as possible (not skipping jar signing)
given that the full build itself doesn't take that much extra time.

Great. This will be really helpful!
Unfortunately I stumbled across another re-signing problem - https://hudson.eclipse.org/orbit/job/orbit-recipes/87/console :(
Caused by presence of both new "SHA-256-Digest" and old "SHA1-Digest", and a bit puzzled why "resigningStrategy=OVERWRITE" doesn't remove existing. Maybe you have an idea?

Regards,
Evgeny

_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/orbit-dev

_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/orbit-dev

References:
- [orbit-dev] pack200:normalize cannot be called for signed jar
  - From: Evgeny Mandrikov
- Re: [orbit-dev] pack200:normalize cannot be called for signed jar
  - From: Roland Grunberg
- Re: [orbit-dev] pack200:normalize cannot be called for signed jar
  - From: Evgeny Mandrikov
- Re: [orbit-dev] pack200:normalize cannot be called for signed jar
  - From: Evgeny Mandrikov
- Re: [orbit-dev] pack200:normalize cannot be called for signed jar
  - From: Markus Knauer

Prev by Date: Re: [orbit-dev] pack200:normalize cannot be called for signed jar
Next by Date: Re: [orbit-dev] pack200:normalize cannot be called for signed jar
Previous by thread: Re: [orbit-dev] pack200:normalize cannot be called for signed jar
Next by thread: Re: [orbit-dev] pack200:normalize cannot be called for signed jar
Index(es):
- Date
- Thread

Breadcrumbs