-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SWT binary jars signing - "Invalid signature file digest for Manifest main attributes" #2189
Comments
Actually, it's the same for the latest 4.33 I-builds. Seems to be the case since 4.31. Verifying the jars from 4.30 gives |
The generated reports indicate that all content on the update sites are signed: https://download.eclipse.org/oomph/archive/reports-extra/R-4.32-202406010610/download.eclipse.org/eclipse/updates/4.32/R-4.32-202406010610/index.html I'm not sure what produces those binaries... |
I think it is from swt build scripts. |
Strange. The jars from |
The signing of the native SWT binaries for Mac and Windows happens in
But these jars are packaged in and they are indeed not signed. But these packages are only created for the download section and are different from the artifacts in the p2 repository. The artifacts in the p2-repo are jar-signed (or at least shouled be singed) as usual. |
Could it be that the manifest is amended by some process after signing and thus breaking the digests of the manifest file? |
can the signing be disabled again till we figure out what messes with the manifest after signing? it certainly gives a bad impression to release artifacts whose signature is bad. |
Download any SWT Binary file from https://download.eclipse.org/eclipse/downloads/drops4/R-4.32-202406010610/ (in the "SWT Binary and Source" section).
Unzip the file and then run the command
jarsigner -verify swt.jar
:"java.lang.SecurityException: Invalid signature file digest for Manifest main attributes"
I don't know whether this is a known problem or if it's too late to do anything about it, but thought I'd report it anyway. Could be that a third-party app links to one of these and might get a security exception.
The text was updated successfully, but these errors were encountered: