Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PGP signature incorrectly generated for feature if the ID & version also match a bundle #1261

Closed
Kummallinen opened this issue Aug 10, 2022 · 1 comment · Fixed by #1268
Closed

PGP signature incorrectly generated for feature if the ID & version also match a bundle #1261

Kummallinen opened this issue Aug 10, 2022 · 1 comment · Fixed by #1268
Milestone
3.0

Comments

@Kummallinen
Copy link
Contributor

When using tycho-gpg-plugin on a repository containing a feature with the same ID & version as a bundle, for example org.eclipse.rcp, a PGP signature for the bundle is attached to the feature. This results in the p2 repository being unusable as the signature check on the feature fails on installation.

Looks like the problematic code is here:

tycho/tycho-gpg-plugin/src/main/java/org/eclipse/tycho/gpg/SignRepositoryArtifactsMojo.java

Line 123 in d9efa1a

var file = new File(repository,

I guess it should be checking the artifact type attribute rather than just checking for the presence of a matching file in "plugins"

I've only been able to test with Tycho 2.7.1 due to bugs preventing me from using later versions, but the code is unchanged so I assume it still happens.
Kummallinen added a commit to Kummallinen/eclipse-tycho that referenced this issue Aug 10, 2022
@Kummallinen
Check artifact classifier before PGP signing eclipse-tycho#1261
cd4e800
Kummallinen added a commit to Kummallinen/eclipse-tycho that referenced this issue Aug 11, 2022
@Kummallinen
Bug eclipse-tycho#1261 Check artifact classifier before PGP signing
5fec4f9 
In some cases (e.g. org.eclipse.rcp) a bundle & feature can have the
same ID & version. To avoid generate an invalid sigurature in theses
cases check the artifact classifier before checking if  the jar exists
in plugins/

As Platform does check signatures on feature this could be enhanced
to correctly PGP sign features in future
Kummallinen added a commit to Kummallinen/eclipse-tycho that referenced this issue Aug 15, 2022
@Kummallinen
Bug eclipse-tycho#1261 Check artifact classifier before PGP signing
2d3db4b 
In some cases (e.g. org.eclipse.rcp) a bundle & feature can have the
same ID & version. To avoid generate an invalid sigurature in theses
cases check the artifact classifier before checking if  the jar exists
in plugins/

As Platform does check signatures on feature this could be enhanced
to correctly PGP sign features in future
Kummallinen added a commit to Kummallinen/eclipse-tycho that referenced this issue Aug 16, 2022
@Kummallinen
Example to reproduce eclipse-tycho#1261
2bb18ff
@Kummallinen Kummallinen mentioned this issue Aug 16, 2022
Closed
Kummallinen added a commit to Kummallinen/eclipse-tycho that referenced this issue Aug 22, 2022
@Kummallinen
Bug eclipse-tycho#1261 Check artifact classifier before PGP signing
ee59ee6 
In some cases (e.g. org.eclipse.rcp) a bundle & feature can have the
same ID & version. To avoid generate an invalid sigurature in theses
cases check the artifact classifier before checking if  the jar exists
in plugins/

As Platform does check signatures on feature this could be enhanced
to correctly PGP sign features in future
mickaelistria pushed a commit that referenced this issue Aug 22, 2022
@Kummallinen @mickaelistria
Bug #1261 Check artifact classifier before PGP signing
fa1d78d 
In some cases (e.g. org.eclipse.rcp) a bundle & feature can have the
same ID & version. To avoid generate an invalid sigurature in theses
cases check the artifact classifier before checking if  the jar exists
in plugins/

As Platform does check signatures on feature this could be enhanced
to correctly PGP sign features in future
@mickaelistria mickaelistria linked a pull request Aug 22, 2022 that will close this issue
Bug #1261 Check artifact classifier before PGP signing #1268
Merged
@mickaelistria mickaelistria added this to the 3.0 milestone Aug 22, 2022
@mickaelistria
Copy link
Contributor

Thanks @Kummallinen !

laeubi pushed a commit to Kummallinen/eclipse-tycho that referenced this issue May 18, 2023
@Kummallinen @laeubi
Example to reproduce eclipse-tycho#1261
9088438
laeubi pushed a commit to Kummallinen/eclipse-tycho that referenced this issue Jan 23, 2024
@Kummallinen @laeubi
Example to reproduce eclipse-tycho#1261
4976111
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.0
Development

Successfully merging a pull request may close this issue.

Bug #1261 Check artifact classifier before PGP signing Kummallinen/eclipse-tycho
2 participants
@mickaelistria @Kummallinen