Bug 205476 - Signed, but untrusted modules (Jira dependencies) on Certified plugins UC
Signed, but untrusted modules (Jira dependencies) on Certified plugins UC
Status: VERIFIED FIXED
Product: updatecenters
Classification: Unclassified
Component: Stable
7.1
All All
: P1 (vote)
: 7.1
Assigned To: Jiri Rechtacek
Autoupdate Masters
: 71_HR_FIX
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-23 12:45 UTC by Tomas Danek
Modified: 2011-11-27 17:00 UTC (History)
6 users (show)

See Also:
Issue Type: DEFECT
:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tomas Danek 2011-11-23 12:45:28 UTC
see issue 205289, Jira can be installed, but user will get a message about "signed  but untrusted modules". Needs to be solved for 7.1 FCS.

List of modules:

Mylyn Commons Soap
javax.servlet
javax.activation
org.apache.commons.discovery
javax.xml.soap
org.apache.axis
javax.xml.rpc
javax.mail
Atlassian Connector for Eclipse Commons Core
Atlassian Connector for Eclipse Jira Core
org.eclipse.mylyn.monitor.ui.dummy
Comment 1 pgebauer 2011-11-23 13:30:53 UTC

*** This bug has been marked as a duplicate of bug 202756 ***
Comment 2 Tomas Danek 2011-11-23 15:03:34 UTC
yes, it's the same problem as in beta (report for beta was wrong - it's about "unsigned", but should be about "untrusted" as well) . WONTFIX from duplicate won't solve this issue, better idea is probably adding certificate of mentioned modules to keystore.
Comment 3 Antonin Nebuzelsky 2011-11-23 15:19:21 UTC
Jirko, please have a look at how JAR signatures are processed in AU client. Is it different from how NBM signatures are processed?
Comment 4 pgebauer 2011-11-23 16:02:10 UTC
I have discovered the way how jars can be signed via jarsigner however javax-activation.jar can't be signed because of following issue:

Signing module : NBMs/javax-activation.jar
jarsigner: unable to sign jar: java.util.zip.ZipException: duplicate entry: META-INF/LICENSE.txt
Error - cannot sign module NBMs/javax-activation.jar
Comment 5 pgebauer 2011-11-23 16:48:38 UTC
I have refreshed 71 certified AUC. The following jars are reported as untrusted even though they have been signed:

Mylyn Commons Soap
org.eclipse.mylyn.monitor.ui.dummy

The file javax.activation is reported as untrusted as well but this report is correct because the file javax.activation cannot be signed (please see my comment #4)

Any ideas what to try next?
Comment 6 Jiri Rechtacek 2011-11-23 18:29:47 UTC
(In reply to comment #3)
> Jirko, please have a look at how JAR signatures are processed in AU client. Is
> it different from how NBM signatures are processed?

There is a same code in AU client as NB6.0 but surroundings are changing. This problem appeared since AU can install OSGi bundles. I find out three place we have to change/fix:
1) AU client has to change evaluating certificates which comes from Jar/NBM (my task, will be fixed tomorrow in trunk)
2) javax.actication has to avoid duplicate entries in the jar (Tomas Stupka's task)
3) needed to sign all jars incl. javax.actiovation after task above (Petr Gebauer's task)
Comment 7 Tomas Stupka 2011-11-24 14:47:04 UTC
> 2) javax.actication has to avoid duplicate entries in the jar (Tomas Stupka's
> task)
caused by merging two jar files into one osgi bundle. had to take care that the license and notice files from both get a distinct name.
pushed to core-main #ec19d339118e
Comment 8 Tomas Stupka 2011-11-24 15:22:21 UTC
(In reply to comment #7)
> > 2) javax.actication has to avoid duplicate entries in the jar (Tomas Stupka's
> > task)
integrated into release71 #bf24c1592459
Comment 9 Jiri Rechtacek 2011-11-24 16:52:38 UTC
Changes in AU client applied in trunk - http://hg.netbeans.org/core-main/rev/09c37ad5e7a2
Comment 10 Jiri Rechtacek 2011-11-24 17:07:14 UTC
fixed in release71: http://hg.netbeans.org/releases/rev/eb1b465e4e5c
Comment 11 Quality Engineering 2011-11-25 06:17:45 UTC
Integrated into 'releases'
Changeset: http://hg.netbeans.org/releases/rev/bf24c1592459
User: Tomas Stupka <tstupka@netbeans.org>
Log: issue #205476 - Signed, but untrusted modules (Jira dependencies) on Certified plugins UC
integrating #ec19d339118e from trunk
Comment 12 Jiri Rechtacek 2011-11-25 11:09:14 UTC
Verified in latest RC1 build. Tomas, could you confirm too?

  Product Version         = NetBeans IDE 7.1 RC1 (Build 201111242103) (#0845e53258a4)
  Operating System        = Linux version 3.0.0-13-generic running on amd64
  Java; VM; Vendor        = 1.6.0_20; Java HotSpot(TM) 64-Bit Server VM 16.3-b01; Sun Microsystems Inc.
  Runtime                 = Java(TM) SE Runtime Environment 1.6.0_20-b02
  Java Home               = /usr/local/share/java/jdk1.6.0_20/jre
  System Locale; Encoding = en (nb); UTF-8
Comment 13 Tomas Danek 2011-11-25 11:19:43 UTC
yes, works for me fine now as well.


Product Version: NetBeans IDE 7.1 RC1 (Build 201111242103)
Java: 1.6.0_29; Java HotSpot(TM) 64-Bit Server VM 20.4-b02-402
System: Mac OS X version 10.7.2 running on x86_64; MacRoman; en_US (nb)
User directory: /Users/tomas/.netbeans/7.1rc1
Cache directory: /Users/tomas/.netbeans/7.1rc1/var/cache
Comment 14 Quality Engineering 2011-11-25 16:22:19 UTC
Integrated into 'main-golden'
Changeset: http://hg.netbeans.org/main-golden/rev/ec19d339118e
User: Tomas Stupka <tstupka@netbeans.org>
Log: issue #205476 - Signed, but untrusted modules (Jira dependencies) on Certified plugins UC
Comment 15 Quality Engineering 2011-11-27 17:00:29 UTC
Integrated into 'main-golden'
Changeset: http://hg.netbeans.org/main-golden/rev/09c37ad5e7a2
User: Jiri Rechtacek <jrechtacek@netbeans.org>
Log: #205476: Signed, but untrusted modules (Jira dependencies) on Certified plugins UC


By use of this website, you agree to the NetBeans Policies and Terms of Use. © 2012, Oracle Corporation and/or its affiliates. Sponsored by Oracle logo