Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 277834 - SHA1 digest error with 3.5 RC1 apt jar
Summary: SHA1 digest error with 3.5 RC1 apt jar
Status: RESOLVED FIXED
Alias: None
Product: Platform
Classification: Eclipse Project
Component: Releng (show other bugs)
Version: 3.5   Edit
Hardware: All All
: P3 normal (vote)
Target Milestone: 3.5 RC4   Edit
Assignee: Kim Moir CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-26 07:21 EDT by Jan Lohre CLA
Modified: 2009-06-03 09:27 EDT (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Lohre CLA 2009-05-26 07:21:08 EDT 
There seems to be a problem related to pack200 and jar signing in 3.5 RC1

Steps to reproduce:
1. Download http://download.eclipse.org/eclipse/updates/3.5milestones/S-3.5RC1-200905151143/plugins/org.eclipse.jdt.apt.pluggable.core_1.0.200.v20090429-1720.jar.pack.gz
2. unpack200 ./org.eclipse.jdt.apt.pluggable.core_1.0.200.v20090429-1720.jar.pack.gz org.eclipse.jdt.apt.pluggable.core_1.0.200.v20090429-1720.jar
3. jarsigner -verify org.eclipse.jdt.apt.pluggable.core_1.0.200.v20090429-1720.jar

Results in:
jarsigner: java.lang.SecurityException: SHA1 digest error for org/eclipse/jdt/internal/apt/pluggable/core/Apt6CompilationParticipant.class

bug 232008 seems to be related

May this be a problem with jar normalization?
See http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/pack200.html
"3. Signing the JAR files.
Pack200 rearranges the contents of the resultant JAR file. The jarsigner hashes the contents of the class file and stores the hash in an encrypted digest in the manifest. When the unpacker runs on a packed packed, the contents of the classes will be rearranged and thus  invalidate the signature. Therefore, the JAR file must be normalized first  using pack200 and unpack200, and thereafter signed."
Comment 1 Walter Harley CLA 2009-05-26 10:59:57 EDT 
Assigning to releng
Comment 2 Kim Moir CLA 2009-05-26 16:53:37 EDT 
Walter, can you retag the org.eclipse.jdt.apt.pluggable.core bundle and submit it to the build.  I think the problem may be that in the build, we are reusing the bundle from 429 and the fix identified in bug 232008 for update core was released into the builder after this date.  Thus this bundle still has the same issue. The bundle needs to be rebuilt with the new builder and submitting a new version to the build will force this to happen.
Comment 3 Walter Harley CLA 2009-05-26 21:33:15 EDT 
retagged
Comment 5 Walter Harley CLA 2009-05-28 11:33:10 EDT 
Kim, I wonder if there is a way to scan all plug-ins?  I will retag compiler.apt, but compiler.tool belongs to JDT Core.
Comment 6 Walter Harley CLA 2009-05-28 11:37:25 EDT 
I've also retagged all the other APT plugins that were 4/29 or older.
Comment 7 Kim Moir CLA 2009-05-28 13:27:22 EDT 
I can run a script against the entire repo.
Comment 8 John Arthorne CLA 2009-06-02 11:34:19 EDT 
RC3 is past. Can this be marked fixed?
Comment 9 Kim Moir CLA 2009-06-02 15:15:20 EDT 
Looked at this issue again today.  There was a bug in our bootstrap script that caused pack200 files to be created in by a 1.6 vm instead of a 1.5 vm. (There are pack200 compatibility issues).  This has been fixed for tonight's build.  I'll run the script against the repo again tomorrow to verify the pack200 files.
Comment 10 Kim Moir CLA 2009-06-03 09:27:40 EDT 
Ran the jar verifier script against the packed jars and verified the packed jars in I20090602-2000 don't have any checksum errors.

java -cp plugins/org.eclipse.equinox.p2.jarprocessor_1.0.100.v20090520-1905.jar org.eclipse.equinox.internal.p2.jarprocessor.verifier.Verifier -dir <tempWorkingDir> <inputfolder>