Hi, David M Williams wrote: > But since there is a "bad" one out there (in Orbit, at least) with the > same version, I was suggesting to verify if it was in your project > repositories to make sure you had the good one. > > If it is the good one, you get "jar verified" as above. > > If it is "the bad one" it will be pretty obvious: > > $ jarsigner -verify > org.apache.httpcomponents.httpclient_4.3.6.v201411290715.jar > jarsigner: java.lang.SecurityException: SHA1 digest error for > org/apache/http/client/cache/HttpCacheEntry.class
FWIW, I just found out that only the plain JAR in Orbit is "bad"; the JAR.pack.gz is not, i.e., it unpack200s to a JAR that verifies just fine [1]. If your build prefers pack200ed JARs over plain JARs, you should get a "good" JAR from Orbit, but of course it's better to double-check what you are distributing exactly. Best wishes, Andreas [1] <https://bugs.eclipse.org/bugs/show_bug.cgi?id=487833#c12> -- Codetrails GmbH The knowledge transfer company Robert-Bosch-Str. 7, 64293 Darmstadt Phone: +49-6151-276-7092 Mobile: +49-170-811-3791 http://www.codetrails.com/ Managing Director: Dr. Marcel Bruch Handelsregister: Darmstadt HRB 91940 _______________________________________________ cross-project-issues-dev mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
