Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cbi-dev] Signing service configuration

Hi Mikael,

Am 09.03.2016 um 11:14 schrieb Mikaël Barbero <mikael@xxxxxxxxxxx>:

Hi,

Andreas is right about the 8 characters naming scheme. The plain jarsigner let you specify a name different from the alias of the certificate in the keystore, so you would like an option to specify a different sigFile for each of your bundles, right?
Only in cases I need to do so. We have 3 runtime libraries that could be used in an android app.


Can you explain a little bit more why you get complains about "duplicate classpath entries"? My understanding is that you basically merge several jar files into a single file (apk), right? and as you have some files within the jars that have the same path, it fails during the merge. I understand you had the issue with about.html. What about META-INF/MANIFEST.MF? I suppose the task handles it in a specific way. 
I’m not very familiar with android packaging, but I recall that META-INF/MANIFEST.MF is the only
exception of the "duplicate resource“ constraint. I found a maven apk packaging plugin that has an option to ignore duplicates, this seems not be possible using gradle or in AndroidStudio.


If it does not handle the fact that two jars has been signed with same certificate alias name, it sounds just wrong. The "android" task should handle the signature file and the signature block specifically and if it does not, there is no advantage to include them in the uber-archive and you should just ignore them as https://github.com/tobykurien/Xtendroid/issues/114 propose.
Yes, I also think apk packager should handle this. I’m not an android developer, so I’m not sure what’s the right solution.

What will you do if you include two jars from Orbit and you again face the issue because they both have 'META-INF/ECLIPSE_.RSA' and 'META-INF/ECLIPSE_.SF‘?
We have only the 3 library jars that we produce and that could/should be used in android: o.e.xtend.lib, o.e.xtend.macro.lib and o.e.xbase.lib. If someone needs other 3rd party libs, e.g. guava, they will fetch them from the maven central, so orbit is out of scope.
 
Finally, I think it is pointless to include the .SF and .RSA in the resulting APK if they are not used to check the signatures at loading time…
That is up to users to decide what to do with the resulting apk file. I think there should be a signing service for the android apps.

Thanks for your reply and best regards,
Dennis.


Mikael

Le 9 mars 2016 à 10:33, Dennis Hübner <dennis.huebner@xxxxxxxxx> a écrit :

Hi Andreas,
many thanks for explanation, I was not aware about the naming scheme.
The name ECLIPSE_* already looked strange to me, now I know why it is like it is.
I found the following regarding the signature file name [1]:


I wonder if we could extend eclipse-jarsigner-plugin [2] to simply bypass such an option to the signing service.

Best regards,
Dennis



Am 09.03.2016 um 10:06 schrieb Andreas Sewe <andreas.sewe@xxxxxxxxxxxxxx>:

Hi Dennis,

Now we face a new problem in an android environment. [1]
Android complains about duplicate classpath entries except of META-INF/MANIFEST.MF
In our case this are now :
'META-INF/ECLIPSE_.RSA'
'META-INF/ECLIPSE_.SF'

We already solved the same problem with about.html [2]  but can’t solve the new issue on our side.
So my question is, would it possible to tell the signing webservice (using cbi maven signing plugin config) what file name it should use for
.RSA and .SF files? I was thinking about similar approach as with about.html

ECLIPSE_<bundle.id>_.RSA
ECLIPSE_<bundle.id>_.SF

That naming scheme won't be possible, as the name of those files always
has to be 8 characters long.

That being said, the name is (if you use plain jarsigner, at least)
derived from the key's alias in the keystore. Maybe you are able to
configure the signing service to use a key with a different alias.

Hope that helps already. (If not, I'm sure there's someone more
knowledgeable on this list.)

Andreas

--
Codetrails GmbH
The knowledge transfer company

Robert-Bosch-Str. 7, 64293 Darmstadt
Phone: +49-6151-276-7092
Mobile: +49-170-811-3791
http://www.codetrails.com/

Managing Director: Dr. Marcel Bruch
Handelsregister: Darmstadt HRB 91940
_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

Viele Grüße,
Dennis Hübner

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

_______________________________________________
cbi-dev mailing list
cbi-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev

Viele Grüße,
Dennis Hübner

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail


Back to the top