Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make jar-signer webservice return the same result for the same artifact #53

Closed
laeubi opened this issue Aug 14, 2021 · 3 comments
Closed

make jar-signer webservice return the same result for the same artifact #53

laeubi opened this issue Aug 14, 2021 · 3 comments

Comments

@laeubi
Copy link
Contributor

laeubi commented Aug 14, 2021
edited

This is related to https://www.eclipse.org/lists/eclipse-ide-wg/msg00081.html and to some discussions with @mickaelistria and @akurtakov in the past.

One problem with signing the artifacts "later" (e.g. before publishing the update-site) is that there is a risk that someone else also signing this artifact resulting in two files with same content but different hash-sums so (as far as I understand) P2 assumes they are different artifacts and probably install both of them that could lead to undesired states.

One thing I can think of is, that jar-signer could cache (e.g. for 3 months) a signed artifact and if the same artifact (in respect to file-name + sha512) is requested to be signed simply returns the cached artifact.

That way it is possible to get always the same artifact regardless of how often it is signed in the relevant time-frame of sim-rel.

I think it would be valid to maybe explicitly enable this feature instead of having it on by default if there are concerns that generally caching all artifacts for such a long time might be a storage-issue, or maybe exclude some by a prefix (e.g. a project could disable caching for all artifacts starting with the projects own name prefix).
This was referenced Aug 14, 2021
Closed
Closed
@mbarbero
Copy link
Member

One thing I can think of is, that jar-signer could cache (e.g. for 3 months) a signed artifact and if the same artifact (in respect to file-name + sha512) is requested to be signed simply returns the cached artifact.

This only works when the exact same jars (i.e., binary identical ones) are asked to be signed twice, which almost never happen. Most of the time, jarsigner is called as part of the build process, and without some very precise (and very rarely used) configuration allowing reproducible builds, 2 consecutive run of mvn clean package always lead to 2 different jars.

We don't have the cycles to implement support for the edge case you are describing.

For now I'm closing this issue. Feel free to reopen if you are planning to submit PR to support your use case, in which case we will provide reviews and assistance.

@laeubi
Copy link
Contributor Author

laeubi commented Aug 16, 2021

This only works when the exact same jars (i.e., binary identical ones) are asked to be signed twice

That's exactly what this should be about signing the exact same artifact (e.g. downloaded from maven-central). btw: I can't reopen this as a non-commiter of the project...

@mbarbero
Copy link
Member

This only works when the exact same jars (i.e., binary identical ones) are asked to be signed twice

That's exactly what this should be about signing the exact same artifact (e.g. downloaded from maven-central). btw: I can't reopen this as a non-commiter of the project...

Gotcha. My point was that this is a pretty rare use case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mbarbero @laeubi