[
http://jira.codehaus.org/browse/MWEBSTART-125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=216253#action_216253
]
Keith D. Winkler edited comment on MWEBSTART-125 at 3/31/10 4:03 PM:
---------------------------------------------------------------------
I'll provided detailed analysis in the hopes that it will encourage someone to
apply the small patch already provided by Nicolas.
----------------------------------------------
BUG DESCRIPTION
----------------------------------------------
SYNOPSIS: The webstart plugin produces invalid signatures for some packed jars.
It is not evident that the signature is invalid, for a particular packed jar,
until webstart clients in production reject the signature. Consequently this is
a MAJOR bug. However, this is due to a bug in Pack200, and there is a very easy
fix which can be implement in the webstart plugin as a work around.
We ran into this build with the a jar from the widely used project Apache CXF.
Our webstart plugin makes available the following:
cxf-bundle-minimal-2.2.4.jar
cxf-bundle-minimal-2.2.4.jar.pack.gz
And the signature on the second in invalid.
NOTE: the webstart plugin IS property normalizing as required for packed signed
jars ((a) Pack200 (b) Unpack200 (c) Sign (d) Pack200) but due to bugs in
Pack200 this does not work for all classes. Below is a very simple suggested
work around.
The Pack200.exe bug is described here:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=5078608 and elsewhere. Users
report encountering the bug with several recent releases of Java. In my case
1.6u11.
----------------------------------------------
HOW TO RELIABLY REPRODUCE
----------------------------------------------
(1) Build the attached maven project. mvn install. The build produces these two
files:
/module-war/target/jnlp/
cxf-bundle-minimal-2.2.4.jar.pack.gz
cxf-bundle-minimal-2.2.4.jar
(2) Verify the signature on the unpacked jar:
$ jarsigner --verify cxf-bundle-minimal-2.2.4.jar RESULT:
jar verified.
(3) rm -rf cxf-bundle-minimal-2.2.4.jar
(4) Unpack the packed: unpack200 cxf-bundle-minimal-2.2.4.jar.pack.gz
cxf-bundle-minimal-2.2.4.jar
(5) Attempt to verify the signature on the packed. RESULT:
$ jarsigner --verify cxf-bundle-minimal-2.2.4.jar
jarsigner: java.lang.SecurityException: SHA1 digest error for
org/apache/cxf/ws/rm/manager/DeliveryAssuranceType$AtLeastOnce.class
----------------------------------------------
SOLUTION
----------------------------------------------
Add the following at line 57 of Pack200.java
packTask.setSegmentLimit("-1");
----------------------------------------------
SOLUTION TESTING AND ANALYSIS
----------------------------------------------
I have tested this solution in production for 6+ months building in a webapps
that serves 50+ webstart apps used by thousands of people.
setSegmentLimit(-1) causes the entire jar content to be packaged in a single
compression/pack segment. Segments are loaded entirely into memory during
decompression; so the only time when this is undesirable is when the jar file
is significantly larger than the available heap. For example, a 20MB jar file
targeted to a java mobile platform.
This solution is also suggested in "Java IO, 2nd Edition-- 2006 O'Reily,
Pack200 section, page 210".
----------------------------------------------
POSSIBLY RELATED OPEN BUGS
----------------------------------------------
MWEBSTART-2: Pack200 shouldn't effect the original jar files.
I think the problem here is that the UNPACKED jar being generated in
target/jnlp is not simply the maven repository jar plus signature, as one would
expect, but is the NORMALIZED unpacked jar resulting from the pack200
normalization process. This is indeed unintuitive behavior and should be fixed,
if possible. The above suggested fix has no impact on this bug.
MWEBSTART-142: support of repack with pack200 before signing
I believe the author was having the same problem as I, though his description
seems to suggest that he didn't realize that the plugin is already re-packing
(normalizing) the jars. If my change is applied I believe this bug can also be
closed.
was (Author: keith.winkler):
I'll provided detailed analysis in the hopes that it will encourage someone
to apply the small patch already provided by Nicolas.
----------------------------------------------
BUG DESCRIPTION
----------------------------------------------
SYNOPSIS: The webstart plugin produces invalid signatures for some packed jars.
It is not evident that the signature is invalid, for a particular packed jar,
until webstart clients in production reject the signature. Consequently this is
a MAJOR bug. However, this is due to a bug in Pack200, and there is a very easy
fix which can be implement in the webstart plugin as a work around.
We ran into this build with the a jar from the widely used project Apache CXF.
Our webstart plugin makes available the following:
cxf-bundle-minimal-2.2.4.jar
cxf-bundle-minimal-2.2.4.jar.pack.gz
And the signature on the second in invalid.
NOTE: the webstart plugin IS property normalizing as required for packed signed
jars ((a) Pack200 (b) Unpack200 (c) Sign (d) Pack200) but due to bugs in
Pack200 this does not work for all classes. Below is a very simple suggested
work around.
The Pack200.exe bug is described here:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=5078608 and elsewhere. Users
report encountering the bug with several recent releases of Java. In my case
1.6u11.
----------------------------------------------
HOW TO RELIABLY REPRODUCE
----------------------------------------------
(1) Build the attached maven project. mvn install. The build produces these two
files:
/module-war/target/jnlp/
cxf-bundle-minimal-2.2.4.jar.pack.gz
cxf-bundle-minimal-2.2.4.jar
(2) Verify the signature on the unpacked jar:
$ jarsigner --verify cxf-bundle-minimal-2.2.4.jar RESULT:
jar verified.
(3) rm -rf cxf-bundle-minimal-2.2.4.jar
(4) Unpack the packed: unpack200 cxf-bundle-minimal-2.2.4.jar.pack.gz
cxf-bundle-minimal-2.2.4.jar
(5) Attempt to verify the signature on the packed. RESULT:
$ jarsigner --verify cxf-bundle-minimal-2.2.4.jar
jarsigner: java.lang.SecurityException: SHA1 digest error for
org/apache/cxf/ws/rm/manager/DeliveryAssuranceType$AtLeastOnce.class
----------------------------------------------
SOLUTION
----------------------------------------------
Add the following at line 57 of Pack200.java
packTask.setSegmentLimit("-1");
----------------------------------------------
SOLUTION TESTING AND ANALYSIS
----------------------------------------------
I have tested this solution in production for 6+ months building in a webapps
that serves 50+ webstart apps used by thousands of people.
setSegmentLimit(-1) causes the entire jar content to be packaged in a single
compression/pack segment. Segments are loaded entirely into memory during
de-compression--so the only time when this is undesirable is when the jar file
is significantly larger than the available heap. For example, a 20MB jar file
targeted to a java mobile platform.
This solution is also suggested in "Java IO, 2nd Edition-- 2006 O'Reily,
Pack200 section, page 210".
----------------------------------------------
POSSIBLY RELATED OPEN BUGS
----------------------------------------------
MWEBSTART-2: Pack200 shouldn't effect the original jar files.
I think the problem here is that the UNPACKED jar being generated in
target/jnlp is not simply the maven repository jar plus signature, as one would
expect, but is the NORMALIZED unpacked jar resulting from the pack200
normalization process. This is indeed unintuitive behavior and should be fixed,
if possible. The above suggested fix has no impact on this bug.
MWEBSTART-142: support of repack with pack200 before signing
I believe the author was having the same problem as I, though his description
seems to suggest that he didn't realize that the plugin is already re-packing
(normalizing) the jars. If my change is applied I believe this bug can also be
closed.
> option to enable one of the workarounds for bug 5078608
> -------------------------------------------------------
>
> Key: MWEBSTART-125
> URL: http://jira.codehaus.org/browse/MWEBSTART-125
> Project: Maven 2.x Webstart Plugin
> Issue Type: New Feature
> Components: pack, sign
> Reporter: Dmitry Shohov
> Priority: Minor
> Attachments: webstart-pack200-bug-demo-project.zip,
> webstart-pack200-jdk15.patch
>
>
> There is a bug in JDK -
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=5078608 and it's still not
> fixed. Webstart plugin needs some option to enable one of the workarounds
> described in the bug.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe from this list, please visit:
http://xircles.codehaus.org/manage_email
