[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [orbit-dev] Orbit bundles whose certificates have expired.
|
On Mon, 2019-10-28 at 16:22 +0000, Mat Booth wrote:
> I'm sure people notice the "do you trust this certificate" dialog that you see when you install some plug-ins. I'm pretty sure this is because there are many old bundles in Orbit that are signed by a now-expired certificate, and these are in turn still distributed by the release train.
>
> When I checked all the orbit bundles I have installed, all the bundles with invalid certs look the same, for example:
>
> org.w3c.dom.smil_1.0.1.v200903091627 invalid certificate
> CN="Eclipse Foundation, Inc.", OU=IT, O="Eclipse Foundation, Inc.", L=Ottawa, ST=Ontario, C=CA
> Valid from: Wed Mar 04 00:00:00 GMT 2015
> Valid until: Thu Mar 08 12:00:00 GMT 2018
>
> Is there a way we can resign all the bundles that are currently signed with this expired cert?
I believe so. I have a JIRO job that I'm preparing for this. I just
haven't used it since the migration so some tweaks are required.
>
> There must be a way to do so without bumping the qualifier -- in the above example, the qualifier is much older than the start date of the certificate used to sign it, so my guess is this happened once before and we were successful in resigning all bundles without bumping the qualifier.
In the past we just re-signed the bundle, and didn't bump the
qualifier. There was some opposition, but this was the cleanest
approach to address the fact that technically, the content of the jar
being consumed remains unchanged.
Cheers,
--
Roland Grunberg
