[jira] [Commented] (ARIES-2124) Embedded jar file is corrupt

Thu, 05 Oct 2023 08:35:05 -0700 


    [ 
https://issues.apache.org/jira/browse/ARIES-2124?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17772260#comment-17772260
 ] 

Amichai Rothman commented on ARIES-2124:
----------------------------------------

I can confirm the temporary workaround of downgrading to JDK 11.0.19+7 or 
earlier, before the zip validation was introduced.

> Embedded jar file is corrupt
> ----------------------------
>
>                 Key: ARIES-2124
>                 URL: https://issues.apache.org/jira/browse/ARIES-2124
>             Project: Aries
>          Issue Type: Bug
>          Components: jax-rs-whiteboard
>    Affects Versions: jax-rs-whiteboard-2.0.2
>            Reporter: Amichai Rothman
>            Priority: Critical
>
> The aries-jax-rs-whiteboard karaf feature requires the bundle 
> mvn:org.apache.aries.spec/org.apache.aries.javax.jax.rs-api/1.0.1. This 
> bundle, in turn, contains an embedded jar and Bundle-ClassPath = 
> .,lib/geronimo-osgi-locator.jar.
> This embedded jar is corrupt:
> {quote}
> $ unzip -t lib/geronimo-osgi-locator.jar        
> Archive:  lib/geronimo-osgi-locator.jar 
>    testing: META-INF/                OK 
>    testing: META-INF/MANIFEST.MF    bad extra-field entry: 
>      EF block length (61373 bytes) exceeds remaining EF data (4 bytes)
> $jar tf lib/geronimo-osgi-locator.jar  
> java.util.zip.ZipException: Invalid CEN header (invalid zip64 extra data 
> field size) 
>        at java.base/java.util.zip.ZipFile$Source.zerror(ZipFile.java:1736)
> {quote}
> Even worse, other mechanisms that scan for resources within bundles balk at 
> this (with the same ZipException) when scanning this bundle even if they have 
> nothing to do with the jaxrs whiteboard. So this issue also breaks various 
> unrelated application components.
> Note that the ZipFile exception may be related to changes in the JDK 
> (11.0.20?) that added stricter validity checks on zip files, however even 
> after and additional fix in JDK-8313765, using 11.0.20.1, this still occurs - 
> presumably because the file is truly corrupt (as shown by the unzip/jar 
> tools). Also setting the system property 
> -Djdk.util.zip.disableZip64ExtraFieldValidation=true (as referenced in some 
> of the linked JDK issues) doesn't help in this case.
> btw I couldn't find where the source for org.apache.aries.javax.jax.rs-api 
> is, and maven central has a few newer releases up to 1.0.4, but all contain 
> the same embedded corrupt jar. Further, I'm not sure where the corrupt 
> geronimo-osgi-locator.jar came from. Maven central has a 
> geronimo-osgi-locator-1.0.jar and a geronimo-osgi-locator-1.1.jar, neither of 
> which are corrupt.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to