Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[cross-project-issues-dev] Hints, tips and reminders for consuming Orbit bundles for M5 and SR2

The observant will notice there are two recent "stable" Orbit builds:

S20090202130207 Mon, 2 Feb 2009 -- 13:02 (UTC)
S20090124200431 Sat, 24 Jan 2009 -- 20:04 (UTC)

They are identical, except for the certificate that was used to sign the bundles.
So, this one-time only, you can use either of these Orbit builds for M5.
Some people may find it easier to use the older, 1/24/2009 build to avoid some apparently common build problems,
which honestly only pop up now because we've managed to mix, fix, and remix certificates during M5 week.

Of course, most of the time we recommend that everyone get same, and most recent Orbit build for coordinated builds.

And, that's still fine if you have a well working build that does not "accidentally" re-sign bundles from Orbit.
[I say "accidentally" since, in theory, none of us should re-sign bundles from Orbit, to save processing, but, since it normally works fine to resign, some of us have let some cases slip through.]
If you do "accidentally" re-sign some bundle from Orbit, then in some few cases for some certain bundles (such as those with nested jars), we've found that re-signing the bundle with a different certificate "breaks" the first signing and the jar will appear to have an invalid security signature. One option, if you find a problem, is to fix your build so you don't re-sign anything. But, if you are like me :) you might find it easier just to "do things like we always have" for the deadline and fix the problems later.

Now, don't panic ... it might be fine if you mix certificates, but you should explicitly use
jarsigner -verify
on each of your bundles to make sure they are valid when you are done with them.

Our follies have been well documented in bug 252879 for those that are interested.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=252879
To summarize, the official certificate used for Eclipse signing has changed a few times in the past week, We've produced Orbit builds for each, and some projects (building several days ago) have used a new-certificate version, but if you build and sign _now_ you will get the old certificate from Eclipse -- the certificate was "reverted" in preparation for SR2 builds -- so you might find it easier to use the old certificate versions from Orbit for M5. We'll get it straight for M6.

Now, the good news ... for SR2, everything should just continue as it has, just be sure to use the most recent recommended bundle, which is the same as used for SR1:

R20080807152315 Thu, 7 Aug 2008 -- 15:23 (UTC)

I fear my long note is more complicated than the original problem its trying to proactively solve, so feel free to ask questions if needed ...
or, just ignore this note, as long as you are happy with the results from jarsigner -verify.

Thanks,

Back to the top