Community
Participate
Working Groups
Build Identifier: Version: 4.2.0 Build Id: I20120315-1300 A plugin that is signed with the Java 1.7 jarsigner tool cannot be installed into Eclipse. In 1.7, the jarsigner tool uses the SHA256 algorithm, which doesn't appear to be supported by Eclipse. Workarounds: 1. Specify which algorithm to use during signing/key generation. 2. Use an older version of Java. Error: An error occurred while collecting items to be installed session context was:(profile=SDKProfile, phase=org.eclipse.equinox.internal.p2.engine.phases.Collect, operand=, action=). Problems downloading artifact: osgi.bundle,com.ibm.eclipse.empty,1.0.0.201204301546. Error reading signed content:C:\DOCUME~1\ckegley\LOCALS~1\Temp\signatureFile3462333199163840301.jar An error occurred while processing the signatures for the file: C:\DOCUME~1\ckegley\LOCALS~1\Temp\signatureFile3462333199163840301.jar Problems downloading artifact: org.eclipse.update.feature,com.ibm.eclipse.empty.feature,1.0.0.201204301546. Error reading signed content:C:\DOCUME~1\ckegley\LOCALS~1\Temp\signatureFile6124194820867887908.jar An error occurred while processing the signatures for the file: C:\DOCUME~1\ckegley\LOCALS~1\Temp\signatureFile6124194820867887908.jar StackTrace: java.io.IOException: Either the manifest file or the signature file has been tampered in this jar: C:\DOCUME~1\ckegley\LOCALS~1\Temp\eclipse\.update\1335818962762\1335818962763\eclipse147725819532611513.tmp at org.eclipse.osgi.internal.signedcontent.LegacyVerifierFactory.getVerifier(LegacyVerifierFactory.java:32) at org.eclipse.update.internal.verifier.CertVerifier.verify(CertVerifier.java:147) at org.eclipse.update.internal.verifier.CertVerifier.verify(CertVerifier.java:133) at org.eclipse.update.core.Feature.verifyReferences(Feature.java:967) at org.eclipse.update.core.Feature.install(Feature.java:365) at org.eclipse.update.internal.core.SiteFile.install(SiteFile.java:96) at org.eclipse.update.internal.core.ConfiguredSite.install(ConfiguredSite.java:155) at org.eclipse.update.internal.core.ConfiguredSite.install(ConfiguredSite.java:119) at org.eclipse.update.internal.operations.InstallOperation.execute(InstallOperation.java:92) at org.eclipse.update.internal.operations.BatchInstallOperation.execute(BatchInstallOperation.java:84) at org.eclipse.update.internal.ui.wizards.InstallWizard2.install(InstallWizard2.java:373) at org.eclipse.update.internal.ui.wizards.InstallWizard2.access$1(InstallWizard2.java:370) at org.eclipse.update.internal.ui.wizards.InstallWizard2$1.run(InstallWizard2.java:483) at org.eclipse.core.internal.jobs.Worker.run(Worker.java:55) Reproducible: Always Steps to Reproduce: java version "1.7.0" Java(TM) SE Runtime Environment (build 1.7.0-b147) Java HotSpot(TM) Client VM (build 21.0-b17, mixed mode, sharing) Steps to create self-signed signing cert: 1. Create a keystore and generate the key pair "C:\Program Files\Java\jdk1.7.0\bin\keytool" -genkey -dname "cn=AppSigner, ou=Me, o=IBM, L=Austin, c=US" -alias "My self signed app signing cert" -keypass passw0rd -keystore C:\TestCase\signcert\self.keystore -storepass passw0rd -validity 36000 2. Create a list of the newly created self-signed cert/key pair "C:\Program Files\Java\jdk1.7.0\bin\keytool" -list -v -alias "My self signed app signing cert" -keystore C:\TestCase\signcert\self.keystore -storepass passw0rd Output: Alias name: My self signed app signing cert Creation date: Apr 30, 2012 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=AppSigner, OU=Me, O=IBM, L=Austin, C=US Issuer: CN=AppSigner, OU=Me, O=IBM, L=Austin, C=US Serial number: 3716b6cd Valid from: Mon Apr 30 15:44:24 CDT 2012 until: Sun Nov 23 14:44:24 CST 2110 Certificate fingerprints: MD5: 54:27:08:89:70:C7:A4:DB:D0:0A:13:D1:79:AC:7A:0C SHA1: 38:A4:22:FD:67:E4:51:1B:CE:9B:F9:AE:F0:C2:32:92:C1:16:7A:0E SHA256: 10:21:DF:0E:EE:13:43:93:BF:29:B7:CB:F7:85:03:43:FB:CC:39:3D:A6: 3B:D0:92:F2:AF:32:BC:A5:C4:91:74 Signature algorithm name: SHA1withDSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: F6 CF 0E 58 C5 77 10 8C ED 17 92 5B 70 96 C7 87 ...X.w.....[p... 0010: DF D7 47 17 ..G. ] ] Steps to sign plugin: 1. Sign update site JAR files in both features and plugins folders using self-signed cert/key pair "C:\Program Files\Java\jdk1.7.0\bin\jarsigner" -verbose -keystore C:\TestCase\signcert\self.keystore -storepass passw0rd -keypass passw0rd C:\TestCase\features\com.ibm.eclipse.empty.feature_1.0.0.201204301546.jar "My self signed app signing cert" Output: updating: META-INF/MANIFEST.MF adding: META-INF/MY_SELF_.SF adding: META-INF/MY_SELF_.DSA signing: feature.xml "C:\Program Files\Java\jdk1.7.0\bin\jarsigner" -verbose -keystore C:\TestCase\signcert\self.keystore -storepass passw0rd -keypass passw0rd C:\TestCase\plugins\com.ibm.eclipse.empty_1.0.0.201204301546.jar "My self signed app signing cert" Output: updating: META-INF/MANIFEST.MF adding: META-INF/MY_SELF_.SF adding: META-INF/MY_SELF_.DSA adding: com/ adding: com/ibm/ adding: com/ibm/eclipse/ adding: com/ibm/eclipse/empty/ signing: com/ibm/eclipse/empty/Activator.class Create and install update site: 1. Zip features and plugins directories with site.xml into emptyUpdateSite.zip. 2. Install emptyUpdateSite.zip into Eclipse. Install fails with provided error.
Created attachment 214863 [details] Update site signed with java 7 jarsigner, which exhibits failure
What version of Java did you use when you installed the plugin? That is, did you sign with Java 7 and install with 1.6?, or did both the signing and installation run on Java 7?
Here is my session data: eclipse.buildId=I20120315-1300 java.version=1.7.0 java.vendor=Oracle Corporation BootLoader constants: OS=win32, ARCH=x86, WS=win32, NL=en_US Command-line arguments: -os win32 -ws win32 -arch x86
Tom, this seems worse than the other case. Signed with Java 7 and try to install with Java 7 fails.
I think this is a framework issue in that it needs to support the newer SHA256 algorithm. I will have to see how hard it will be to support.
Created attachment 214892 [details] possible fix This could be as simple as this. Basically just let the algorithm name flow through to the MessageDigest class and fail there if the VM does not support the algorithm. This change allowed me to read the signer info from the attached bundle on Java 6 also.
*** Bug 378553 has been marked as a duplicate of this bug. ***
This is a must fix for Juno. In the long run we are going to have to rip the security code related to parsing signatures and certificates from the framework and just depend on the impl included in JarFile. It is not feasible to keep up with each new version of jar signer in each new VM release. We have our own implementation for historical reasons since we wanted to run on small embedded VMs that did not have JarFile. This code has been maintained by a set of committers in the equinox security project, but now they have moved on to other things so we don't have the experts to keep this code current. The big disadvantage of depending on JarFile is that it forces you to parse and verify the complete jar just to get the set of CodeSigners for the jar. It would be nice of JarFile had a getCodeSigners method instead of forcing you to go to each entry of the jar and read the complete entry before getting the CodeSigner for the entry. You then have to build up a set of code signers for each entry to figure out all the CodeSigners for the jar.
Fixed in commit: http://git.eclipse.org/c/equinox/rt.equinox.framework.git/commit/?id=7bc8060090621ea117971fd917321d4abbae4f5c BJ could you review?
(In reply to comment #9) > BJ could you review? I see you commited test.bug378155.jar but I don't see it used in the test: + public void testBug378155() { + doTestBug378155("SHA1withRSA"); + doTestBug378155("SHA256withRSA"); + doTestBug378155("SHA384withRSA"); + doTestBug378155("SHA512withRSA"); + }
(In reply to comment #10) > (In reply to comment #9) > > BJ could you review? > > I see you commited test.bug378155.jar but I don't see it used in the test: > > + public void testBug378155() { > + doTestBug378155("SHA1withRSA"); > + doTestBug378155("SHA256withRSA"); > + doTestBug378155("SHA384withRSA"); > + doTestBug378155("SHA512withRSA"); > + } Yeah, I realized this last night. I need to add at least one test for DSA. The attached jars Cathy provided use SHA1withDSA for the sigalg and use SHA256 for the digest algorithm. For some reason I could not get a DSA type jar with anything other than SHA1withDSA as the sigalg for the signature file. I also had no luck getting jarsigner to sign with SHA224withRSA, SHA512_224withRSA or SHA512_256withRSA sigalg.
I released a SHA1withDSA.jar and verify it in the test now: http://git.eclipse.org/c/equinox/rt.equinox.framework.git/commit/?id=0b0ff7b485b18cb122cc31042eff684d376b0bea
*** Bug 380779 has been marked as a duplicate of this bug. ***
