Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 347041 - Signing plugin produces md5sum errors
Summary: Signing plugin produces md5sum errors
Status: RESOLVED FIXED
Alias: None
Product: Dash
Classification: Technology
Component: Maven (show other bugs)
Version: unspecified   Edit
Hardware: PC Linux
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: David Carver CLA
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-24 14:37 EDT by Andrew Overholt CLA
Modified: 2011-07-11 13:36 EDT (History)
6 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Overholt CLA 2011-05-24 14:37:41 EDT
The Linux Tools project makes use of the Dash Maven signing plugin.  A build from a few hours ago gives the following error when I attempt to install the available updates in a 3.7RC1 Eclipse SDK:

An error occurred while collecting items to be installed
session context was:(profile=SDKProfile, phase=org.eclipse.equinox.internal.p2.engine.phases.Collect, operand=, action=).
Problems downloading artifact: osgi.bundle,org.eclipse.linuxtools.cdt.autotools_docs,2.0.2.201105241252.
MD5 hash is not as expected. Expected: 62b3a1224d3c5f409395bc0973cd4331 and found ef7ea91cab2c3709c59fda43367c492c.
Problems downloading artifact: osgi.bundle,org.eclipse.linuxtools.cdt.libhover.library_docs,1.0.2.201105241252.
MD5 hash is not as expected. Expected: 8b9f6a4f4f46cf673b05e4d1c1c2346b and found 13db2defada250e6936d64cd3a6bc7dc.
Multiple problems occurred while downloading.
No location for packed: osgi.bundle,org.eclipse.linuxtools.man,0.0.1.201105241252.
Problems downloading artifact: osgi.bundle,org.eclipse.linuxtools.man,0.0.1.201105241252.
MD5 hash is not as expected. Expected: 884322990d9118ea9f88803984815002 and found 00e8b78560328564a860844fb0596112.
Multiple problems occurred while downloading.
No location for packed: osgi.bundle,org.eclipse.linuxtools.rpmstubby,0.3.0.201105241252.
Problems downloading artifact: osgi.bundle,org.eclipse.linuxtools.rpmstubby,0.3.0.201105241252.
MD5 hash is not as expected. Expected: 0c786787aa7eda97110e0332a7d69a9d and found 70eecd905aa6f034666f3c82160c16b0.
Problems downloading artifact: org.eclipse.update.feature,org.eclipse.linuxtools.cdt.libhover.devhelp,0.7.1.201105241252.
MD5 hash is not as expected. Expected: 7b33c0c9c3836392910c614287b7a000 and found 886c8140103f066e0479cd1503148842.
Problems downloading artifact: org.eclipse.update.feature,org.eclipse.linuxtools.man,0.0.1.201105241252.
MD5 hash is not as expected. Expected: 00e8b78560328564a860844fb0596112 and found 2c1fa47bc23e5ff079927b36418d5a06.
Problems downloading artifact: org.eclipse.update.feature,org.eclipse.linuxtools.rpm.ui.editor,0.4.3.201105241252.
MD5 hash is not as expected. Expected: 7a7a6bd4f8a7b18dd7bfacfe36d06368 and found 19a5d5e97e7dd43b721b76e93c12ff94.
Problems downloading artifact: org.eclipse.update.feature,org.eclipse.linuxtools.rpmstubby,0.3.0.201105241252.
MD5 hash is not as expected. Expected: 70eecd905aa6f034666f3c82160c16b0 and found ebe7dae7faf630c9417b03cfc6f428a8.

Our relevant pom.xml:

  http://git.eclipse.org/c/linuxtools/org.eclipse.linuxtools.git/tree/releng/org.eclipse.linuxtools.releng-site/pom.xml

specifically:

  http://git.eclipse.org/c/linuxtools/org.eclipse.linuxtools.git/tree/releng/org.eclipse.linuxtools.releng-site/pom.xml#n45

The build:

  https://hudson.eclipse.org/hudson/job/cbi-linuxtools-Indigo/318/

The build log:

  https://hudson.eclipse.org/hudson/job/cbi-linuxtools-Indigo/318/console

The p2 repo:

  https://hudson.eclipse.org/hudson/job/cbi-linuxtools-Indigo/318/artifact/releng/org.eclipse.linuxtools.releng-site/target/repository/
Comment 1 Jesse McConnell CLA 2011-05-24 15:08:54 EDT
the pack -> sign -> repack -> fix process chains together

the first pack is given an input file, in your case:

<inputFile>${project.build.directory}/org.eclipse.linuxtools.releng-site.zip</inputFile>

that filename is then used throughout the process, but each mojo dumps its output into a subdir

so the input to the sign mojo would be:

<inputFile>${project.build.directory}/packed/org.eclipse.linuxtools.releng-site.zip</inputFile>

and then the input into the repack mojo would be

<inputFile>${project.build.directory}/signed/org.eclipse.linuxtools.releng-site.zip</inputFile>

and lastly the input into the fix checksum mojo would be once more

<inputFile>${project.build.directory}/packed/org.eclipse.linuxtools.releng-site.zip</inputFile>

leaving you with a file product in

<outputFile>${project.build.directory}/fixed/org.eclipse.linuxtools.releng-site.zip</outputFile>

unless you change that last one...it ought to work like the others but I think I was a goober and didn't think of it at the time.

It works without messing with any of these params (aside from the input into the repack) if you start the whole process with site_assembly.zip as the filename....so if you don't do that then you'll have to adjust the inputs and outputs accordingly for each mojo configuration.  but it should make pretty good sense if you think of it as a bit of a chain of events.

let me know if this helps!
Comment 2 David Williams CLA 2011-05-24 15:18:15 EDT
Hope I'm not repeating what Jesse said (skim reading ... :) and

I'm not familiar with "the signing plugin" but there has been surprises, in the past, that various steps in the general process will "touch" (even modify) jars in ways that are not always expected (for example, even if they have already been signed!). For some discussion, see bug 275094. 

As far as I know, the solution is to always run "p2.process.artifacts" as the final step (optionally, with 'pack' attribute). 

to quote a quote from bug 275094

<quote>
A way to fix MD5 sums in the artifacts.xml is to run
<p2.process.artifacts repositoryPath="file:/${repo}" />
</quote>

Just in case the info/history helps.
Comment 3 David Williams CLA 2011-05-24 15:28:02 EDT
(sorry, I unintentionally changed status flag, so now changing back to 'assigned').
Comment 4 Andrew Overholt CLA 2011-05-24 15:32:50 EDT
Thanks for the clarification, Jesse!

Chris Aniszczyk actually did this work and I hadn't looked at it in much detail until just now.  I think I have the proper file-names fixed up for the <inputFile> sections but what about the maven-antrun-plugin call?  At present we have (at [1]):

  <copy includeemptydirs="false"
              todir="/home/data/httpd/download.eclipse.org/technology/linuxtools/updates-nightly">
             <fileset dir="target/checksumFix">
               <include name="**" />
             </fileset>
                       
but I wonder if this should be replaced with unzipping "${project.build.directory}/fixed/org.eclipse.linuxtools.releng-site.zip"?

[1]
http://git.eclipse.org/c/linuxtools/org.eclipse.linuxtools.git/tree/releng/org.eclipse.linuxtools.releng-site/pom.xml#n112
Comment 5 Andrew Overholt CLA 2011-05-24 19:23:59 EDT
I've made some changes to our pom.xml [1] but the most recent build [2] still gives MD5sum errors.  I tried using the contents of the checksumFix directory but also has md5sum errors.

Anyone know what I'm doing wrong at [1]?  I've made the build job's workspace [3] publicly accessible so anyone should be able to see it [3].

[1]
http://git.eclipse.org/c/linuxtools/org.eclipse.linuxtools.git/tree/releng/org.eclipse.linuxtools.releng-site/pom.xml

[2]
https://hudson.eclipse.org/hudson/job/cbi-linuxtools-Indigo/320/

[3]
https://hudson.eclipse.org/hudson/job/cbi-linuxtools-Indigo/ws/releng/org.eclipse.linuxtools.releng-site/target
Comment 6 Jesse McConnell CLA 2011-05-25 12:08:39 EDT
looks like one issue is that _ is used in both package names and in osgi version strings with breaks the fix checksum bits of the mojo
Comment 7 David Carver CLA 2011-05-25 17:01:15 EDT
A new snapshot has been deployed.

1.0.1.0-SNAPSHOT

Update your repository for your maven plugins to pull from the following location.

http://maven.eclipse.org/nexus/content/groups/public/
Comment 8 Andrew Overholt CLA 2011-05-25 18:48:44 EDT
This latest version appears to have worked!  I was able to install without md5sum errors and verify that things are signed.  Thanks!
Comment 9 Hugues Malphettes CLA 2011-05-25 19:58:41 EDT
Has anyone had success with an 'eclipse-repository' project and would mind sharing such a project?
Comment 10 Andrew Overholt CLA 2011-05-25 21:54:12 EDT
(In reply to comment #9)
> Has anyone had success with an 'eclipse-repository' project and would mind
> sharing such a project?

Linux Tools uses such a project:

http://git.eclipse.org/c/linuxtools/org.eclipse.linuxtools.git/tree/releng/org.eclipse.linuxtools.releng-site/pom.xml

mvn -fn -Dmaven.test.failure.ignore=true -U -e clean install

We append "-P build-server" on hudson.eclipse.org to use this plugin:

https://hudson.eclipse.org/hudson/job/cbi-linuxtools-Indigo/
Comment 11 Hugues Malphettes CLA 2011-05-25 22:01:38 EDT
(In reply to comment #10)
> (In reply to comment #9)
> > Has anyone had success with an 'eclipse-repository' project and would mind
> > sharing such a project?
> 
> Linux Tools uses such a project:
> 
> http://git.eclipse.org/c/linuxtools/org.eclipse.linuxtools.git/tree/releng/org.eclipse.linuxtools.releng-site/pom.xml
> 
> mvn -fn -Dmaven.test.failure.ignore=true -U -e clean install
> 
> We append "-P build-server" on hudson.eclipse.org to use this plugin:
> 
> https://hudson.eclipse.org/hudson/job/cbi-linuxtools-Indigo/
Thanks a lot Andrew.
We will be following your example at RTP: bug 347242
Comment 12 David Carver CLA 2011-05-26 16:11:02 EDT
Re-Opening, as I want to deploy this to a milestone repository.  If anybody else gets the current snapshot working successfully, please comment here, as I would like another verification point besides Linux tools.

Once verified, I'll, deploy a 1.0.1 version of the plugin.
Comment 13 David Carver CLA 2011-05-26 16:11:24 EDT
Re-Assigning to myself for the final deployment.
Comment 14 Hugues Malphettes CLA 2011-05-26 19:14:32 EDT
The plugin worked for RTP.

Be aware that only the published repository contains the signed artifacts.
For example if you are generating some product archives they won't contain the signed artifacts:
http://dev.eclipse.org/mhonarc/lists/tycho-user/msg00259.html
Comment 15 Hugues Malphettes CLA 2011-05-29 22:14:14 EDT
Dave, Jesse, before you do a release could you look into bug 347591:
The MD5 checksums are correct but it looks like there are a couple of issues remaining.
Andrew, I looked into the builds of linuxtools and I suspect that they are also affected. I have added you in cc of that bug.
Comment 16 Andrew Overholt CLA 2011-05-30 08:51:47 EDT
Thanks, Hugues.
Comment 17 David Carver CLA 2011-05-30 10:21:55 EDT
This has been deployed to the milestone repo.  Everybody should be using 1.0.1 now.
Comment 18 Vivian Kong CLA 2011-07-11 13:36:01 EDT
(In reply to comment #1)

> 
> and lastly the input into the fix checksum mojo would be once more
> 
> <inputFile>${project.build.directory}/packed/org.eclipse.linuxtools.releng-site.zip</inputFile>
> 
> leaving you with a file product in
> 
> <outputFile>${project.build.directory}/fixed/org.eclipse.linuxtools.releng-site.zip</outputFile>

I'm using the signing plugin to sign and fix MD5 checksum but I can't find a zip file in the ${project.build.directory}/fixed directory.  Am I missing something?  I'm using the 1.0.1.2 SNAPSHOT:

http://git.eclipse.org/c/cdt/org.eclipse.cdt.git/tree/releng/org.eclipse.cdt.repo/pom.xml?h=cdt_7_0