SWT binary jars signing - "Invalid signature file digest for Manifest main attributes" #2189
Comments
|
Actually, it's the same for the latest 4.33 I-builds. Seems to be the case since 4.31. Verifying the jars from 4.30 gives |
Phillipus
changed the title
|
The generated reports indicate that all content on the update sites are signed: https://download.eclipse.org/oomph/archive/reports-extra/R-4.32-202406010610/download.eclipse.org/eclipse/updates/4.32/R-4.32-202406010610/index.html I'm not sure what produces those binaries... |
|
I think it is from swt build scripts. |
|
Strange. The jars from |
|
The signing of the native SWT binaries for Mac and Windows happens in
But these jars are packaged in and they are indeed not signed. But these packages are only created for the download section and are different from the artifacts in the p2 repository. The artifacts in the p2-repo are jar-signed (or at least shouled be singed) as usual. |
|
Could it be that the manifest is amended by some process after signing and thus breaking the digests of the manifest file? |
|
can the signing be disabled again till we figure out what messes with the manifest after signing? it certainly gives a bad impression to release artifacts whose signature is bad. |
Download any SWT Binary file from https://download.eclipse.org/eclipse/downloads/drops4/R-4.32-202406010610/ (in the "SWT Binary and Source" section).
Unzip the file and then run the command
jarsigner -verify swt.jar:"java.lang.SecurityException: Invalid signature file digest for Manifest main attributes"
I don't know whether this is a known problem or if it's too late to do anything about it, but thought I'd report it anyway. Could be that a third-party app links to one of these and might get a security exception.
The text was updated successfully, but these errors were encountered: