Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cbi-dev] [cross-project-issues-dev] CBI Maven plugins 1.1.3-SNAPSHOT

Hi,

Just an update about our progress with Mikael.

We've been working on https://bugs.eclipse.org/bugs/show_bug.cgi?id=483881

A new "signatureAlgorithm" option is introduced along with the "digestAlgorithm". This way the following configuration is possible for the eclipse-jarsigner-plugin:

<configuration>
<digestAlgorithm>SHA1</digestAlgorithm>
<signatureAlgorithm>SHA1withRSA</signatureAlgorithm>
</configuration>

This will produce the same signature as if the signing service used Java 6. This will make it possible for Eclipse projects, that deliver releases that are still compatible with Indigo and earlier, to use the CBI for the jar signing.

In order to use the above improvement we need to wait for the new version of the signing service to be deployed - watch https://bugs.eclipse.org/bugs/show_bug.cgi?id=458597 for the progress. Once this is done, I will adopt this improvement for the Andmore project.

Greetings,
Kaloyan

On Mon, Dec 7, 2015 at 9:58 PM, Kaloyan Raev <kaloyan.r@xxxxxxxx> wrote:
Hi again,

I did some more experiments (now I can run my build faster).

I looked at the PKCS7Processor source code and saw that in Indigo it supports SHA1, MD5 and MD2 digest algorithms. So, I tried signing with MD5. I got correct MD5-Digest headers in the Manifest files. But then, when I tried installing the plugins in Indigo, I've got again No algorithm found for 2.16.840.1.101.3.4.2.1. These number stand for the SHA256 algorithm. So I was quite puzzled...

Then I decided to change also the signature algorithm to "MD5withRSA" using the jarsigner's "-sigalg" option. This time it worked!

I still don't understand what exactly is going on. It seems I've just had a lucky shot in the dark.
Anyway, it seems that introducing "signatureAlgorithm" option for the eclipse-jarsigner-plugin would be helpful too.

Greetings,
Kaloyan

On Mon, Dec 7, 2015 at 6:27 PM, Kaloyan Raev <kaloyan.r@xxxxxxxx> wrote:
Hi Mikael,

Here is the stack trace:

!ENTRY org.eclipse.equinox.p2.engine 4 4 2015-12-07 16:51:50.210
!MESSAGE An error occurred while collecting items to be installed
!SUBENTRY 1 org.eclipse.equinox.p2.engine 4 0 2015-12-07 16:51:50.210
!MESSAGE session context was:(profile="" phase=org.eclipse.equinox.internal.p2.engine.phases.Collect, operand=, action="">
!SUBENTRY 1 org.eclipse.equinox.p2.artifact.repository 4 0 2015-12-07 16:51:50.210
!MESSAGE Problems downloading artifact: osgi.bundle,org.eclipse.andmore,0.5.0.201512071444.
!SUBENTRY 2 org.eclipse.equinox.p2.artifact.repository 4 0 2015-12-07 16:51:50.210
!MESSAGE Error reading signed content:/tmp/signatureFile8943778048959317435.jar
!STACK 0
java.security.NoSuchAlgorithmException: An error occurred while processing the signatures for the file: /tmp/signatureFile8943778048959317435.jar
at org.eclipse.osgi.internal.signedcontent.SignedBundleHook.getSignedContent(SignedBundleHook.java:264)
at org.eclipse.equinox.internal.p2.artifact.repository.SignatureVerifier.verifyContent(SignatureVerifier.java:77)
at org.eclipse.equinox.internal.p2.artifact.repository.SignatureVerifier.verify(SignatureVerifier.java:59)
at org.eclipse.equinox.internal.p2.artifact.repository.SignatureVerifier.close(SignatureVerifier.java:100)
at org.eclipse.equinox.internal.p2.artifact.repository.simple.SimpleArtifactRepository.reportStatus(SimpleArtifactRepository.java:1132)
at org.eclipse.equinox.internal.p2.artifact.repository.simple.SimpleArtifactRepository.downloadArtifact(SimpleArtifactRepository.java:570)
at org.eclipse.equinox.internal.p2.artifact.repository.simple.SimpleArtifactRepository.getArtifact(SimpleArtifactRepository.java:680)
at org.eclipse.equinox.internal.p2.artifact.repository.MirrorRequest.getArtifact(MirrorRequest.java:260)
at org.eclipse.equinox.internal.p2.artifact.repository.MirrorRequest.transferSingle(MirrorRequest.java:235)
at org.eclipse.equinox.internal.p2.artifact.repository.MirrorRequest.transfer(MirrorRequest.java:191)
at org.eclipse.equinox.internal.p2.artifact.repository.MirrorRequest.perform(MirrorRequest.java:122)
at org.eclipse.equinox.internal.p2.artifact.repository.simple.SimpleArtifactRepository.getArtifact(SimpleArtifactRepository.java:664)
at org.eclipse.equinox.internal.p2.artifact.repository.simple.SimpleArtifactRepository.getArtifacts(SimpleArtifactRepository.java:735)
at org.eclipse.equinox.internal.p2.engine.DownloadManager.fetch(DownloadManager.java:110)
at org.eclipse.equinox.internal.p2.engine.DownloadManager.start(DownloadManager.java:99)
at org.eclipse.equinox.internal.p2.engine.phases.Collect.completePhase(Collect.java:76)
at org.eclipse.equinox.internal.p2.engine.Phase.postPerform(Phase.java:216)
at org.eclipse.equinox.internal.p2.engine.Phase.perform(Phase.java:84)
at org.eclipse.equinox.internal.p2.engine.PhaseSet.perform(PhaseSet.java:44)
at org.eclipse.equinox.internal.p2.engine.Engine.perform(Engine.java:75)
at org.eclipse.equinox.internal.p2.engine.Engine.perform(Engine.java:44)
at org.eclipse.equinox.p2.operations.ProvisioningSession.performProvisioningPlan(ProvisioningSession.java:174)
at org.eclipse.equinox.p2.operations.ProfileModificationJob.runModal(ProfileModificationJob.java:79)
at org.eclipse.equinox.p2.operations.ProvisioningJob.run(ProvisioningJob.java:177)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
Caused by: java.security.NoSuchAlgorithmException: No algorithm found for 2.16.840.1.101.3.4.2.1
at org.eclipse.osgi.internal.signedcontent.PKCS7Processor.findDigest(PKCS7Processor.java:87)
at org.eclipse.osgi.internal.signedcontent.PKCS7Processor.processSignerInfos(PKCS7Processor.java:311)
at org.eclipse.osgi.internal.signedcontent.PKCS7Processor.<init>(PKCS7Processor.java:133)
at org.eclipse.osgi.internal.signedcontent.SignatureBlockProcessor.processSigner(SignatureBlockProcessor.java:93)
at org.eclipse.osgi.internal.signedcontent.SignatureBlockProcessor.process(SignatureBlockProcessor.java:59)
at org.eclipse.osgi.internal.signedcontent.SignedBundleFile.setBundleFile(SignedBundleFile.java:47)
at org.eclipse.osgi.internal.signedcontent.SignedBundleHook.getSignedContent(SignedBundleHook.java:256)
... 24 more

Kaloyan

On Mon, Dec 7, 2015 at 6:21 PM, Mikael Barbero <mikael@xxxxxxxxxxx> wrote:
 
3. The signing with the Test Server is very slow. It takes around a minute to sign a single jar file. My CPU is not utilized at all. I have no solution for this.

Did you try to do it manually with the jarsigner command? Does it work faster? 

As far as I can see the slow part is the communication to the timestamp server. I guess for me it is significantly slower than for you. I would suggest to have an option for the to switch the signing with timestamp off. Just for the test server.

I've accepted your patch for this one too. Thanks for your contributions.

 
4. I tried using the SHA_1 digest algorithm, but the result is not the same as the JAR being signed with Java 6. I have "SHA-1-Digest" headers in he MANIFEST.MF file instead of "SHA1-Digest". Note the extra dash. So, the installation of these plugins on Eclipse Indigo is still not successful. I did not find a valid configuration for the digestAlgorithm option to get the correct "SHA1-Digest" header. I tried with SHA1, but I got an error that it is not a valid value.

You're right, Java 6 signs with the "SHA1-Digest" while Java 7 and later signs with "SHA-1-Digest". I've seen this difference, but Java 7+ accepts both. Unfortunately, I did not try with Java 6. Could you try to run (Java 6 version of) jarsigner -verify on the plugin with the "SHA-1-Digest" headers and give me the output? Thanks.

Here it is:

/usr/lib/jvm/java-6-openjdk-amd64/bin/jarsigner -verify /home/raev/git/andmore/andmore-core/site/target/repository/plugins/org.eclipse.andmore.android_0.5.0.201512071444.jar
jar verified.

Warning: 
This jar contains entries whose signer certificate will expire within six months. 

Re-run with the -verbose and -certs options for more details.

So it seems that the issue is not Java, the issue with "SHA-1-Digest" is in Equinox only. Do you have a stack trace or error message when you try to install the signed plugin in Indigo? Thanks again.

Cheers,
Mikael

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev




Back to the top