Hi,This seems strangely reminiscent of https://bugs.eclipse.org/bugs/show_bug.cgi?id=458925 . Though it was the reverse, the jar file was good but the pack200 was not.
That time was affecting orbit too. We might want to have a script running to check the signatures over there with each build?
Laurent Goubet Obeo On 16/02/2016 16:48, Andreas Sewe wrote:
Hi, David M Williams wrote:But since there is a "bad" one out there (in Orbit, at least) with the same version, I was suggesting to verify if it was in your project repositories to make sure you had the good one. If it is the good one, you get "jar verified" as above. If it is "the bad one" it will be pretty obvious: $ jarsigner -verify org.apache.httpcomponents.httpclient_4.3.6.v201411290715.jar jarsigner: java.lang.SecurityException: SHA1 digest error for org/apache/http/client/cache/HttpCacheEntry.classFWIW, I just found out that only the plain JAR in Orbit is "bad"; the JAR.pack.gz is not, i.e., it unpack200s to a JAR that verifies just fine [1]. If your build prefers pack200ed JARs over plain JARs, you should get a "good" JAR from Orbit, but of course it's better to double-check what you are distributing exactly. Best wishes, Andreas [1] <https://bugs.eclipse.org/bugs/show_bug.cgi?id=487833#c12>
-- *Laurent Goubet* Consultant +33 2 51 13 51 42 <http://www.obeo.fr/> 7 Boulevard Ampère - Carquefou - France*obeo.fr* <http://www.obeo.fr/> | *twitter* <https://twitter.com/obeo_corp> | *linkedin* <https://www.linkedin.com/company/obeo>
<<attachment: laurent_goubet.vcf>>
_______________________________________________ cross-project-issues-dev mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
