| [cross-project-issues-dev] Problems with signed jars on deployed p2 repositories |
| We are facing problems with signed jars in Xtext repositories [1] that fail the jarsigner's verification. The problem was initially reported in bug#533359 [2]. Initially it seemed that a specific Orbit library, org.antlr.runtime, was affected, but running jarsigner -verify -strict on Xtext’s whole composite repository, and there are multiple other jars suffering the same problem. I created a job on Xtext’s JIPP that lists result of jarsigner: [3] With additional verbosity of jarsigner’s output the following entries are printed (full text in [1], comment#20) [certificate is valid from 1/29/96 1:00 AM to 8/2/28 1:59 AM]
[CertPath not validated: Algorithm constraints check failed: MD2withRSA]So how can this be? I’m not familiar with the details behind. And how could this be fixed? Do we have to sign again all jars? How do we come to valid repositories again? Do other projects have similar problems? Kind regards, ~Karsten |