java.lang.SecurityException: class "org.eclipse.jdt.internal.compiler.lookup.LocalVariableBinding"'s signer information does not match signer information of other classes in the same package

[cdietrich]

the following main

package demo;

import org.eclipse.jdt.internal.compiler.lookup.AnnotationBinding;
import org.eclipse.jdt.internal.compiler.lookup.AptSourceLocalVariableBinding;

public class Demo {
	public static void main(String[] args) {
		System.out.println(AptSourceLocalVariableBinding.class);
		System.out.println(AnnotationBinding.class);
		System.out.println("done");
	}
}

does fail using jdt 2022-06 maven artifacts

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
	<modelVersion>4.0.0</modelVersion>

	<properties>
		<maven.compiler.source>11</maven.compiler.source>
		<maven.compiler.target>11</maven.compiler.target>
	</properties>

	<groupId>demo</groupId>
	<artifactId>demo</artifactId>
	<version>1.0.0-SNAPSHOT</version>

	<dependencies>
		<dependency>
			<groupId>org.eclipse.jdt</groupId>
			<artifactId>org.eclipse.jdt.compiler.apt</artifactId>
			<version>1.4.100</version>
		</dependency>
		<dependency>
			<groupId>org.eclipse.jdt</groupId>
			<artifactId>org.eclipse.jdt.compiler.tool</artifactId>
			<version>1.3.150</version>
		</dependency>
		<dependency>
			<groupId>org.eclipse.jdt</groupId>
			<artifactId>org.eclipse.jdt.core</artifactId>
			<version>3.30.0</version>
		</dependency>
	</dependencies>
</project>

Exception in thread "main" java.lang.SecurityException: class "org.eclipse.jdt.internal.compiler.lookup.LocalVariableBinding"'s signer information does not match signer information of other classes in the same package
	at java.base/java.lang.ClassLoader.checkCerts(ClassLoader.java:1158)
	at java.base/java.lang.ClassLoader.preDefineClass(ClassLoader.java:902)
	at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1010)
	at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:150)
	at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:862)
	at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760)
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681)
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639)
	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520)
	at java.base/java.lang.ClassLoader.defineClass1(Native Method)
	at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1012)
	at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:150)
	at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:862)
	at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:760)
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:681)
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:639)
	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520)
	at demo.Demo.main(Demo.java:8)

mvn versions:display-dependency-updates
...
[INFO] artifact org.eclipse.jdt:org.eclipse.jdt.compiler.apt: checking for updates from central
[INFO] artifact org.eclipse.jdt:org.eclipse.jdt.compiler.tool: checking for updates from central
[INFO] artifact org.eclipse.jdt:org.eclipse.jdt.core: checking for updates from central
[INFO] No dependencies in Dependencies have newer versions.

all three artifacts seem to have been published together on june 14th

[sravanlakkimsetti]

I tried using attached project. But did not encounter any problems
test.tar.gz

[cdietrich]

@sravanlakkimsetti did you run the java main? (from eclipse)

[sravanlakkimsetti]

I used maven to build the attached project it got built successfully

[cdietrich]

@sravanlakkimsetti the problem is not the build. it is running the class. (run as java application from eclipse)

[sravanlakkimsetti]

Ok I can reproduce the problem. Here is what happened
org.eclipse.jdt.compiler.apt and org.eclipse.jdt.compiler.tool are signed with different certificate than org.eclipse.jdt.core.

Our signing certificate expired on May 19. We started renewed certificate from then onwards.
During our build we retain older jars(comparator does this). In this case org.eclipse.jdt.compiler.apt and org.eclipse.jdt.compiler.tool were last built on March 18th and signed with a different certificate than org.eclipse.jdt.core, which was built on May 24th and signed with renewed certificate.

Actually no idea on how to fix this one.
@jarthana any ideas?

[cdietrich]

[
[
  Version: V3
  Subject: EMAILADDRESS=webmaster@eclipse.org, CN="Eclipse.org Foundation, Inc.", OU=IT, O="Eclipse.org Foundation, Inc.", L=Ottawa, ST=Ontario, C=CA
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 4096 bits
  params: null
  modulus: 954332459427604859908066013305941232434748978233612432433228037886612282960911605851106361825549001099914449988457069670065183729044599397093185115974761065164585931124557852788141724195840875942223022751993241142567837998613655549466121764138070718918984392029557861697088410963181700265098737705981623170121178282302508241883444135707425058342774926806923534708536733898591603769269339370358658197977242113488092662734722997238497728059212953970489454245496756272250111191805490124508400119666049250944779328265233568399589151198698191739259407449062146244508571640292659598748125200150924929502785944811768167845074014451501026736310769343977354356152427805313628079229258892676283752508831526605389118218726949832488584697733721446645067035420967715456601265798074224149612192903669570967550589428767929516275056010214327048900427064420364725664347046339327988197087939343144178964302518134209054448352249863335099499363892402137337693317819262941031954501447349848816436470436668119659468974074574195658686342741633210289361698256822881664395128608989356267150144457585381458340251487538264722571783042108318448607875216538236101308440037673018460541621224434312821477046744017292292003142516971665157749210778530529205014448351
  public exponent: 65537
  Validity: [From: Mon May 02 02:00:00 CEST 2022,
               To: Wed May 22 01:59:59 CEST 2024]

[
[
  Version: V3
  Subject: EMAILADDRESS=webmaster@eclipse.org, CN="Eclipse.org Foundation, Inc.", OU=IT, O="Eclipse.org Foundation, Inc.", L=Ottawa, ST=Ontario, C=CA
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 16418518633562931683156237340538233744019921193750552135132647267882320806121906433205765075160281354156590964131054037199887143553090914783059154934254388183101861810338874365216678970624327051792332767891417662240821439594471630053452675065894654153684206654221120381749976476662604256987223046140413061223226266056166055002059514395986949248799513620415747967165337071169245203151271460986190555408474665025368315575864430130200589889371206592289592700459657871839939588636299600044413896646985289264551358366093659438040699198927510171497306479596174716309548061820124471932411434030850062201845694812584657604847
  public exponent: 65537
  Validity: [From: Tue Mar 16 01:00:00 CET 2021,
               To: Thu May 19 01:59:59 CEST 2022]
  Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  SerialNumber: [    034a4475 70d97098 2409ebb3 da98b69d]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [

yes this looks like a bad timing with the expiry

[cdietrich]

does the comparator skip the rsa file&sf files?

[sravanlakkimsetti]

does the comparator skip the rsa file&sf files?

they are skipped during the comparator check. since the jar signed during the build, comparator thinks there is the problem in the newly built jar because of differences in rsa and sf files

[cdietrich]

so we would need a way to extract the cert list (using jarsigner verify or the like) and compare them instead

[iloveeclipse]

Actually no idea on how to fix this one.

There is no other fix as to redeploy the three JDT core jars signed by same signer with bumped version, from 4.24 maintenance branch.

Whoever consumes any of two jdt jars together via maven will fail at runtime sooner or later, once the classes from same package but from differently signed jars will be tried to load by the JVM.

@cdietrich : is this affecting Xtext build/test itself, or you "just" saw it in some other project?

[cdietrich]

@iloveeclipse no current Xtext uses old platform cause of Java 8 support, but the Java 17 as source and target branch is affected. Xtend uses jdt compiler under the hood for Java xtend interop

I found the problem in our Xtext-maven-plugin integ tests

[cdietrich]

any update here

[laeubi]

Also relates to #181 if JDT would using the compiler as a plugin, we might have noticed this earlier...

[laeubi]

@cdietrich if xtext pulls in JDT, it might work to exclude the org.eclipse.jdt.compiler.tool if xtext pulls in tycho...

[cdietrich]

we dont know if xtext-maven-plugin runs in tycho env or not. and the problem also happens in pure maven envs

[laeubi]

@sravanlakkimsetti would it be possible to deploy an updated version of the org.eclipse.jdt.compiler.apt and org.eclipse.jdt.compiler.tool with an updated signature?

[ivy-cst]

We have the same problem. We can not upgrade the target platform to eclipse 2022-06 in our rcp product.
JUnit Plugin-Tests are running. But all plain JUnit tests are failing.

[LorenzoBettini]

I (actually, I guess "we") would like to know if on 2022-09 this signing problem will be fixed, please

[cdietrich]

i assume this one will never be fixed right?
eclipse-platform/eclipse.platform.releng.aggregator#548

[iloveeclipse]

i assume this one will never be fixed right? eclipse-platform/eclipse.platform.releng.aggregator#548

Do you mean, 4.25 has same problem again? Could you please provide more details?

[cdietrich]

no, i mean there will be no 2.24 fixes

[iloveeclipse]

no, i mean there will be no 2.24 fixes

Sure, for both 2.24 and 4.24 :)

[cdietrich]

so i guess this can be closed as wontfix, please update to 2022-09