[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cbi-dev] [cross-project-issues-dev] CBI Maven plugins 1.1.3-SNAPSHOT

Hi Kaloyan,

I am glad you're enthusiastic about the new release. See my responses below.

Le 7 dÃc. 2015 Ã 10:41, Kaloyan Raev <kaloyan.r@xxxxxxxx> a Ãcrit :

Hi Mikael,

I am very excited about the digestAlgorithm option because I hope it can be the solution for Eclipse Bug 378155 [1]. The issue is that the plugins which are signed with the eclipse-jarsigner-plugin cannot be installed on Eclipse Indigo and earlier. I tried to use the TestServer to see if I can sign the plugins with SHA-1 so they can be successfully installed on Eclipse Indigo, but I've hit some roadblocks.

1. The full qualified class name must be provided in the command, i.e. org.eclipse.cbi.webservice.signing.jar.TestServer. This was easy to resolve.

You're right, I mistakenly wrote the unqualified name "TestServer" in my previous mail. Sorry about that.


2. I get a NullPointerException when starting the Test Server. I looked at the source code to find that this is due to missing HTTP_PROXY environment variable on my system. My system has a direct Internet connection, so it does not make sense to define such variables. I had to checkout the code, comment some lines and run it from Eclipse to resolve this issue.

Could you please give me the stack trace? Or even better, could you submit a patch through gerrit?


3. The signing with the Test Server is very slow. It takes around a minute to sign a single jar file. My CPU is not utilized at all. I have no solution for this.

Did you try to do it manually with the jarsigner command? Does it work faster? 


4. I tried using the SHA_1 digest algorithm, but the result is not the same as the JAR being signed with Java 6. I have "SHA-1-Digest" headers in he MANIFEST.MF file instead of "SHA1-Digest". Note the extra dash. So, the installation of these plugins on Eclipse Indigo is still not successful. I did not find a valid configuration for the digestAlgorithm option to get the correct "SHA1-Digest" header. I tried with SHA1, but I got an error that it is not a valid value.

You're right, Java 6 signs with the "SHA1-Digest" while Java 7 and later signs with "SHA-1-Digest". I've seen this difference, but Java 7+ accepts both. Unfortunately, I did not try with Java 6. Could you try to run (Java 6 version of) jarsigner -verify on the plugin with the "SHA-1-Digest" headers and give me the output? Thanks.


I hope you can give me some hints how I can use version 1.1.3-SNAPSHOT to sign the plugins in a way that they can be installed successfully on Eclipse Indigo.

We will make sure it works properly that way with this release. Please note that the jarsigner service @ eclipse is still not aware of this option. It will be available bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=458597 will be resolved (which has slipped away a bit, but is still planned before end of Q4)

Cheers,
Mikael

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail