We are facing problems with signed jars in Xtext repositories [1] that fail the
jarsigner's verification. The problem was initially reported in bug#533359 [2].
Initially it seemed that a specific Orbit library, org.antlr.runtime, was
affected, but running
jarsigner -verify -strict
on Xtext’s whole composite repository, and there are multiple other jars
suffering the same problem. I created a job on Xtext’s JIPP that lists result
of jarsigner: [3]
With additional verbosity of jarsigner’s output the following entries are
printed (full text in [1], comment#20)
[certificate is valid from 1/29/96 1:00 AM to 8/2/28 1:59 AM]
[CertPath not validated: Algorithm constraints check failed: MD2withRSA]
So how can this be? I’m not familiar with the details behind.
And how could this be fixed? Do we have to sign again all jars? How do we come
to valid repositories again?
Do other projects have similar problems?
Kind regards,
~Karsten
[1] http://download.eclipse.org/modeling/tmf/xtext/updates/composite/releases/
<http://download.eclipse.org/modeling/tmf/xtext/updates/composite/releases/>
[2] https://bugs.eclipse.org/bugs/show_bug.cgi?id=533359
<https://bugs.eclipse.org/bugs/show_bug.cgi?id=533359>
[3] https://ci.eclipse.org/xtext/job/xtext-jarsigner-verify/3/consoleFull
<https://ci.eclipse.org/xtext/job/xtext-jarsigner-verify/3/consoleFull>
_______________________________________________
cross-project-issues-dev mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
