Community
Participate
Working Groups
Build Identifier: M20070212-1330 When I was updating Eclipse, during the installation of an update for EMF I got an error dialogue that said the code was unsigned, asking me to install or cancel. Since the source couldn't be verified I decided to cancel. Details of the specific update: Feature name: Eclipse Modeling Framework (EMF) Runtime + End-User Tools Feature Identifier: org.eclipse.emf_2.2.5.v200808252119 Provider: Eclipse.org File Identifier: org.eclipse.emf_2.2.5.v200808252119 I can see three main expected causes: 1) The update was released unsigned. --> Signing updates before release would resolve the bug. 2) The update was released unsigned, but a mirror stripped the signature and/or modified the file. --> Unfortunately the dialogue doesn't give more specific information than I provided above. However, if the update should have been signed, and among the mirrors an unsigned version of the update is found, then removing that mirror from the list would resolve the bug. 3) The update was singed okay, but something is wrong with Eclipse's signature verification or trusted signatory list. --> Fixing the way Eclipse checks signatures would resolve the bug. Reproducible: Always Steps to Reproduce: 1. Make sure EMF is installed in Eclipse, otherwise Eclipse will by default not try to update it. Make sure it's an old version, so the above update is necessary. 2. Click Help > Software Updates > Find & Install... 3. Tell it to only update features already installed and let it work it's magic in the background. 4. This will take a while. Cook dinner or something; if you're lucky, when you've finished your meal, it'll be finished too. 5. The error dialogue will pop up. (Or not, if scenario 2 is in play.)
Correction: the first phrase of 2) should read: The update was released signed, ...
EMF 2.2.5? That was long before we even started to support signing of jars at Eclipse.
Possibly, but I can't know that. In any case, this was the version the updater tried to download. I don't know if the updater is downloading this file in error (i.e. that it should be downloading a more recent version) or because it wants to incrementally update or something, but whatever the case may be, the fact remains that the update the updater wants to download should be signed. If it is really necessary to download an update from before code signing in some cases, that just means that such updates need to get signed, even if signing was not supported at the moment when they were originally released. In any case, that means we are more or less in scenario 1) and that means that this bug is still valid, so I'm reopening it.
There's just not enough information to reproduce a problem. You don't specify what you have installed already, only that you're updating it. In any case, if you have something really old installed that depends on EMF 2.2.x so the updater wants to update to EMF 2.2.5 (which is what this sounds like), then what's happening correct behavior. And yes, EMF 2.2.5 isn't signed nor will we ever be spinning another version of 2.2.x that would be signed.
It has become clear that people here aren't interested in fixing problems. I have disabled bugmail; I would appreciate it if an administrator would properly disable my account.
