Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1061062 - Maven repo: several jars are signed
Summary: Maven repo: several jars are signed
Keywords:
Status: VERIFIED
Alias: None
Product: JBoss BRMS Platform 6
Classification: Retired
Component: Maven Repository
Version: 6.0.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ER5
: 6.2.0
Assignee: Petr Kočandrle
QA Contact: Marek Winkler
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-04 10:27 UTC by Petr Široký
Modified: 2019-01-01 02:57 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-13 08:48:53 UTC
Type: Bug


Attachments (Terms of Use)

Description Petr Široký 2014-02-04 10:27:18 UTC
Description of problem:
Several jars in the Maven repo are signed. I am not sure if it is a big problem, but IMO we should sign all the jars or none (e.g. remove the signing from third party jars).

See https://jenkins.mw.lab.eng.bos.redhat.com/hudson/job/brms-maven-repo-wolf-validator/lastCompletedBuild/testReport/(root)/JarSignedException/
for up-to-date list of signed jars.

Comment 2 Petr Kočandrle 2014-02-20 16:54:33 UTC
This should be fixed along with missing/wrong dependencies, because these artifacts were included by mistake because of a bug in our dependency grapher,

Comment 3 Petr Kočandrle 2014-03-28 23:19:40 UTC
Actually this one doesn't seem to be resolved completely by the fixed tool. Removing from 6.0.1 as we are not able to resolve this now.

Comment 5 Petr Široký 2014-12-09 00:24:33 UTC
Following files are signed (6.1.0.ER2):

bcel/bcel/5.2/bcel-5.2.jar 
com/ibm/icu/icu4j/3.4.5-redhat-1/icu4j-3.4.5-redhat-1.jar 
org/apache/ant/ant-junit/1.8.3-redhat-1/ant-junit-1.8.3-redhat-1-sources.jar 
org/apache/ant/ant-junit/1.8.3-redhat-1/ant-junit-1.8.3-redhat-1.jar 
org/apache/ant/ant-launcher/1.8.3-redhat-1/ant-launcher-1.8.3-redhat-1-sources.jar 
org/apache/ant/ant-launcher/1.8.3-redhat-1/ant-launcher-1.8.3-redhat-1.jar 
org/apache/ant/ant/1.8.3-redhat-1/ant-1.8.3-redhat-1-javadocs.jar 
org/apache/ant/ant/1.8.3-redhat-1/ant-1.8.3-redhat-1-sources.jar 
org/apache/ant/ant/1.8.3-redhat-1/ant-1.8.3-redhat-1.jar 
regexp/regexp/1.5/regexp-1.5.jar

Comment 6 Ryan Zhang 2015-01-13 08:48:53 UTC
I checked these jars. They are signed by MEAD import process years before.
There was a time that we would signed the jars when we import jars or build jar in MEAD. But after that we don't sign them any more.
So that  why  some jars are still signed.
We found that ant* 1.8.3-redhat-1 can remove since we only need 1.8.2.
There are still a few jar , bcel, icu4j, regexp which contains JBOSS signature.
I think this is very low priority issues and re-import them and change the GAV would be too much efforts for it.

Plus this will be fixed naturely along with https://bugzilla.redhat.com/show_bug.cgi?id=1061163. ie when we build all artifact from source.
So we prefer that WONTFIX for this issue

@Petr, Do you think we could close this issue?

(In reply to Petr Siroky from comment #5)
> Following files are signed (6.1.0.ER2):
> 
> bcel/bcel/5.2/bcel-5.2.jar 
> com/ibm/icu/icu4j/3.4.5-redhat-1/icu4j-3.4.5-redhat-1.jar 
> org/apache/ant/ant-junit/1.8.3-redhat-1/ant-junit-1.8.3-redhat-1-sources.jar 
> org/apache/ant/ant-junit/1.8.3-redhat-1/ant-junit-1.8.3-redhat-1.jar 
> org/apache/ant/ant-launcher/1.8.3-redhat-1/ant-launcher-1.8.3-redhat-1-
> sources.jar 
> org/apache/ant/ant-launcher/1.8.3-redhat-1/ant-launcher-1.8.3-redhat-1.jar 
> org/apache/ant/ant/1.8.3-redhat-1/ant-1.8.3-redhat-1-javadocs.jar 
> org/apache/ant/ant/1.8.3-redhat-1/ant-1.8.3-redhat-1-sources.jar 
> org/apache/ant/ant/1.8.3-redhat-1/ant-1.8.3-redhat-1.jar 
> regexp/regexp/1.5/regexp-1.5.jar

Comment 7 Petr Široký 2015-01-13 11:28:13 UTC
Ryan, according to project Wolf requirements (https://mojo.redhat.com/docs/DOC-187749) source jars must be provided for all runtime artifacts included in the repository. Fixing this naturally by https://bugzilla.redhat.com/show_bug.cgi?id=1061163 would definitely be great. However, I would prefer to leave this BZ open as we need to keep track of this issue.

Comment 8 Petr Široký 2015-01-13 11:34:34 UTC
Disregard the previous comment. I was mistakenly referring to -sources jars instead of signed jars.

In 6.1.0.ER3 repo, there are only three signed jars:
File bcel/bcel/5.2/bcel-5.2.jar is signed
File com/ibm/icu/icu4j/3.4.5-redhat-1/icu4j-3.4.5-redhat-1.jar is signed
File regexp/regexp/1.5/regexp-1.5.jar is signed

Fixing this naturally by https://bugzilla.redhat.com/show_bug.cgi?id=1061163 would definitely be great. However, I would prefer to leave this BZ open as we need to keep track of this particular issue.

Comment 9 Petr Kočandrle 2015-10-27 21:51:01 UTC
Last 2 artifacts were removed so the ER5 repo should be clean.

Comment 10 Marek Winkler 2015-11-27 12:22:45 UTC
Verified that the above mentioned artifacts are not present in BxMS 6.2.0 CR1 Maven repository. However, two of them have been moved to Integration Pack Maven repository, I have filed a separate issue [1] to keep track of it.

According to Wolf validator, there should be no signed artifacts in BxMS 6.2.0 CR1 Maven repository.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1286174


Note You need to log in before you can comment on or make changes to this bug.