Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 334032

Summary: Slow turnaround of the signing service
Product: Community Reporter: Konstantin Komissarchik <konstantin>
Component: CI-JenkinsAssignee: Eclipse Webmaster <webmaster>
Status: CLOSED DUPLICATE QA Contact:
Severity: normal    
Priority: P3 CC: david_williams, gunnar
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Windows 7   
Whiteboard:
Attachments:
Description Flags
Signing script that can be used for repro none

Description Konstantin Komissarchik CLA 2011-01-11 15:53:30 EST 
In many cases, the most efficient way to sign jars during a build is to sign a jar a time. Bundling all plugin and feature jars into a zip just to invoke signing service is inefficient. 

In experimenting with jar-at-a-time signing, I have found a deficiency in how the signing service is scheduled that prevents the more efficient approach from being usable. 

For Sapphire project there are 23 jars to sign, which all together weigh in at approx 4MB. Invoking the signing service on a zip of all of these jars takes about 3 minutes. Invoking the signing service on each of the jars individually takes somewhere between 30 seconds to 1.5 minutes per jar.

I would guess that the problem is with the way signing service is scheduled. Maybe it polls for jobs too infrequently on the assumption that all signing will be performed on large zip files? 

There is no reason that jar less than 1MB in size couldn't be signed in under a second. This bug tracks improving the way that the signing service is scheduled to provide faster turnaround.
Comment 1 David Williams CLA 2012-03-28 11:48:30 EDT 
To cross reference, see bug 369798, for another impact of this slow turn around when signing "jar by jar". 

Perhaps a "first step" solution would be to have a special que/cron job that gave higher priority (niceness?) if the thing to be signed ended with ".jar", while things that ended with ".zip" be handled by same, current process. 

Not sure this solution would still be "fast enough" (since a certain amount of slowness is just starting the "jarsigner" each time) ... but ... maybe as a first step  to see if it makes the "tycho builds" workable?
Comment 2 Denis Roy CLA 2012-03-28 12:47:28 EDT 
> about 3 minutes. Invoking the signing service on each of the jars individually
> takes somewhere between 30 seconds to 1.5 minutes per jar.


If I examine the log file I don't see this type of performance.  I see 1-3 seconds to sign a single jar file.

2012-03-28 12:40:58: build SIGNER(5753): asked to sign /opt/public/download-staging.priv/webtools/temp-I-3.4.0-20120328145130-dali4x-sdk.zip/temp_temp-I-3.4.0-20120328145130-dali4x-sdk.zip/org.eclipse.jpt.jaxb.eclipselink.branding_1.2.0.v201203150000.jar
2012-03-28 12:40:58 build SIGNER(5753): Signing JAR file /opt/public/download-staging.priv/webtools/temp-I-3.4.0-20120328145130-dali4x-sdk.zip/temp_temp-I-3.4.0-20120328145130-dali4x-sdk.zip/org.eclipse.jpt.jaxb.eclipselink.branding_1.2.0.v201203150000.jar
 updating: META-INF/MANIFEST.MF
   adding: META-INF/ECLIPSEF.SF
requesting a signature timestamp
TSA location: https://timestamp.geotrust.com/tsa
   adding: META-INF/ECLIPSEF.RSA
  signing: about.html
  signing: about.ini
  signing: about.mappings
  signing: about.properties
   adding: icons/
  signing: icons/WTP_icon_x32_v2.png
  signing: plugin.properties

Warning: 
The signer certificate will expire within six months.
2012-03-28 12:40:59: build SIGNER(5753): Finished signing /opt/public/download-staging.priv/webtools/temp-I-3.4.0-20120328145130-dali4x-sdk.zip/temp_temp-I-3.4.0-20120328145130-dali4x-sdk.zip/org.eclipse.jpt.jaxb.eclipselink.branding_1.2.0.v201203150000.jar



Requesting the secure timestamp can add up to .5 second to each jar, but otherwise, how can I reproduce this 30-second to 1.5 minute problem?
Comment 3 Konstantin Komissarchik CLA 2012-03-28 13:19:11 EDT 
Created attachment 213304 [details]
Signing script that can be used for repro

With the caveat that I haven't tried the single jar signing since filing this bug more than a year ago (I have implemented the zip-sign-unzip workaround)...

I am attaching my Ant-based signing macro. There is an embedded comment that goes into usage and the logic isn't that complex to follow. It should be pretty easy to setup a simple Ant test case with a sample jar and this macro.
Comment 4 Konstantin Komissarchik CLA 2012-03-28 13:20:25 EDT 
Should have mentioned that for the sake of best relevancy, any repro attempts should be done from a job running on Eclipse.org public hudson instance...
Comment 5 Denis Roy CLA 2012-04-16 11:27:18 EDT 
I'll mark this as a dupe of a later bug, bug 369798

For CBI we've altered the signing service to support jar-at-a-time instant signing.  Please see the wiki docs for details:

http://wiki.eclipse.org/IT_Infrastructure_Doc#Sign_my_plugins.2FZIP_files.3F

*** This bug has been marked as a duplicate of bug 369798 ***