Joakim,
Indeed, no one should have signed these particular jars (nor any jars
available from Maven central as OSGi bundles for that matter). You
should note that it's not ancient p2 that signs the jars, but rather
it's modern Tycho which does that (though only when configured to do
that). Ancient p2 is also quite happy with modern pgp-signatures as
well or instead of jar-signatures. Also note that the millions of
people installing any Eclipse IDE/RCP application will install from a p2
repository and they will most often need to install Jetty because that's
how the RCP help system is implemented. Therefore Jetty will end up in
p2 repositories, though obviously and preferably exactly byte-for-byte
the same artifact as the Jetty project published to Maven central.
You might consider toning down your personal disdain for "ancient" p2.
Regards,
Ed
On 28.08.2023 13:27, Joakim Erdfelt via cross-project-issues-dev wrote:
Since I'm the one that built Eclipse Jetty 10.0.15, let's see what's
going on ...
First, the official release of 10.0.15 ...
The official release does not live on a P2 repository anywhere on
download.eclipse.org <http://download.eclipse.org>
The official release exists as a maven (tycho) p2 artifact on maven
central.
The official release of the jetty-jndi 10.0.15 artifact has the
following verification ...
md5: 785f479c6433717bee8e9bb94df56c11
sha1: 7825525aae7c7e11e7cef57672e43e5e4d727856
sha256: c01a1d2ea0ebac1565f4c8e92d1b5151daf14ac09502efd52f5536a59245cb16
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEWYm692IXuEPWa+VbLQ4fuP5LaLQFAmQ1mJ8ACgkQLQ4fuP5L
aLQYVQ/+ONbSADgGLnMxDSQ6A/tPo70citQMu4uNw6OE/eSb5kvya4cjRAxpbioD
vwcsDowHab2ydg4f+o9O+UnhKTUGxLFS+zjl42/WUlodgMFLZXf3mRJui19ful6P
pigeCdsasIBSgwu6ptq+ymKFLLwjH3P4jOip3pZkRujO9NsPDmtOX2biVjrK3VrW
6PHDh4ruxU9I2ApSgFjlYhbiYy4twhQiaEIwF5j5x2UUJGNbinRbmHpLe1OYy3AJ
70cpkd7jrRgwZ4r8TarKhUa2DiKncgm9lrDkLgoDrkQapGPxis5NSo0vXy6oyhYb
sCRZZF3MQMk26IDZYLWUAacyl4DuM5M2XwG5Pma2OYM15SLoA0NyVfGFQVUIEEEF
/Z1H5PELcf80VoOgtHPNLBJRM1BTijteFdHGteYju6l0s1Gh1b9LFxDzJ+eYEwFS
jG2IsnmF7hBZJk10a7NXnWAK3NguCQMLSVJ4KlaLMc2rzAGHkiDvAj0h6o/3UuPz
rxl+d5behICgZxRv8DIRmIVdZAe/2SjChIbiFcyVbIgEEBiM9xuHZqsCkPRpKl1a
i5xXmG/K1dsoVzFJAFGeZFf3XV8/rOad0xHxPkAOd2UlxG6ilkqu7uoUOY8eTru0
3l8j2KGUcXqvZ0+GnsQAWD2Ge4PZ+VYc7ba2GWfENNLH1YIy4g4=
=r9xH
-----END PGP SIGNATURE-----
The suspect org.eclipse.jetty.jndi_10.0.15.jar artifact found at
https://download.eclipse.org/staging/2023-09/plugins/
Has the following verification (which doesn't match the official
release) ...
md5: 8f2d6b1e2acef3285e3a12f62042890c
sha1: 488a1601bae6f4d0357e6a4b4174e1dcfca068af
sha256: 623f2009671f0138495fd659622fd78e3153671a50a1c280aeb2410e9365b455
Digging into the contents of the suspect
org.eclipse.jetty.jndi_10.0.15.jar artifact I can see that it's been
modified.
It appears that the META-INF/MANIFEST.MF has been modified, now every
class has a SHA-256-Digest entry.
There are also a new META-INF/ECLIPSE_.SF and META-INF/ECLIPSE_.RSA
entries in the jar file (likely JAR signatures).
The binary comparison of the contents of the official jar vs the
eclipse jar shows that only the 3 files mentioned above are different.
META-INF/MANIFEST.MF
META-INF/ECLIPSE_.SF
META-INF/ECLIPSE_.RSA
The rest of the files are identical to the official jetty-jndi 10.0.15
artifact.
I don't understand why Jetty is present anywhere on
download.eclipse.org <http://download.eclipse.org> in this molested
form, the tycho-p2 information present on maven central for Eclipse
Jetty contains all of the validation, verification (3 kinds), and
signatures (2 kinds) to satisfy P2 without modifying the original
artifacts. The Jetty Tycho P2 maven repository is how the Eclipse
Jetty artifacts are meant to be consumed, not via these transient
ancient Eclipse P2 repositories.
The Jetty Tycho P2 information on Maven Central ->
https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-p2/11.0.15/
Now, back to your error ...
12:05:07 [ERROR] Problems downloading artifact:
osgi.bundle,org.eclipse.jetty.jndi,10.0.15. <http://10.0.15.>:
12:05:07 [ERROR] MD5 hash is not as expected. Expected:
785f479c6433717bee8e9bb94df56c11 and found
8f2d6b1e2acef3285e3a12f62042890c.
The "Expected" hash value in your error is the official artifact md5
hash value, the "found" hash value in your error is the md5 hash value
for the download.eclipse.org <http://download.eclipse.org> artifact.
Of special note ...
Over the past couple of years the Eclipse Jetty project has learned of
several projects that provide Supply Chain Auditing for anyone that is
concerned about that.
Every official release of Eclipse Jetty gets updated in these various
databases.
The process that these Ancient Eclipse P2 Repositories use, where we
modify various official artifacts with JAR signatures on every
transient build of these P2 repositories, is the reason the ancient
Eclipse P2 technique artifacts will never be recognized by any of
those supply chain databases as the official release of those artifacts.
Releasing the same artifacts as official releases at a later date,
using these ancient Eclipse P2 techniques, is just inviting failed
audits (and this isn't limited to Eclipse Jetty, it also includes any
3rd party jar/lib that is modified by this ancient Eclipse P2 technique).
- Joakim
On Mon, Aug 28, 2023 at 5:12 AM Ondrej Dockal via
cross-project-issues-dev <cross-project-issues-dev@eclipse.org> wrote:
Hey folks,
in RedDeer build [1] we are facing an issue when running the tests
with a checksum for org.eclipse.jetty.jndi.
Error message:
*12:05:07* [INFO] Fetching org.eclipse.jetty.util_10.0.15.jar
fromhttps://download.eclipse.org/staging/2023-09/plugins/ (557.33kB)
*12:05:07* [INFO] Fetching org.eclipse.jetty.jndi_10.0.15.jar
fromhttps://download.eclipse.org/staging/2023-09/plugins/ (56.39kB)
*12:05:07* [ERROR] An error occurred while transferring artifact
canonical: osgi.bundle,org.eclipse.jetty.jndi,10.0.15 from
repository https://download.eclipse.org/staging/2023-09:
*12:05:07* [ERROR] Problems downloading artifact:
osgi.bundle,org.eclipse.jetty.jndi,10.0.15. <http://10.0.15.>:
*12:05:07* [ERROR] MD5 hash is not as expected. Expected:
785f479c6433717bee8e9bb94df56c11 and found
8f2d6b1e2acef3285e3a12f62042890c.
Any hints?
Regards,
Ondrej
[1]:
https://ci.eclipse.org/reddeer/job/reddeer.verification.parametrized/136/console
--
Ondrej Dockal
Senior Software Quality Engineer, Developer QE
Red Hat Czech, s.r.o. <https://www.redhat.com/>
Purkyňova 111
Brno 612 00, Czech Republic
odoc...@redhat.com
<https://www.redhat.com/>
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list,
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
