[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [p2-dev] Galileo mirroring problem. [SOLUTION]

The problem was threefold:
1. Buckminster uses its own Pack200 implementation and the Java Pack200.Packer has two methods:


 pack(JarInputStream input, OutputStream out);
 pack(JarFile input, OutputStream out);

The former obtains the Manifest from the JarInputStream.getManifest() method and then writes it back. During that flow the parser/writer seems to change a byte or two in the manifest itself. The consequence of using this pack method is that the manifest digest is no longer valid in some respects, which brings us to problem #2.

2. The default jarsigner at build.eclipse.org is and old 1.4.2 version. Apparently it doesn't check the manifest digest. Hence my confusion that the unpacked jars seemed valid.

3. The OSGi SignatureVerifier doesn't discover the invalid manifest when using a IBM J9 Java 6. I haven't been able to pinpoint why that is. The Java 5 version always fails and so does a Sun Java 6 on other machines.

The solution was to change Buckminsters jarpacker to use the other Packer.pack() method. A bit unfortunate since it broke an otherwise very efficient pipe scheme. But I can live with that :-)

Thanks for your help and support. I added some suggestions on how to improve the way we handle pack200 on
https://bugs.eclipse.org/bugs/show_bug.cgi?id=275533


Regards,
Thomas Hallgren