Bug 780312 (SOA-2718)

Summary: Broken signatures for Modeshape client
Product: [JBoss] JBoss Enterprise SOA Platform 5 Reporter: Martin Vecera <mvecera>
Component: Build Process, SecurityAssignee: Van Halbert <vhalbert>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.1.0.ER6CC: atangrin, jcoleman
Target Milestone: ---   
Target Release: 5.1.0.ER7   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/SOA-2718
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-07 17:27:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 780417    
Bug Blocks:    

Description Martin Vecera 2010-12-22 14:43:18 UTC 
project_key: SOA

Verifying file: /jbosssoa/eds/modeshape/client/modeshape-client.jar
[ERROR] jar is unsigned. (signatures missing or not parsable)

https://hudson.qa.jboss.com/hudson/view/SOA-Release/job/soa-signatures/23/bits.type=EMBEDDED,jdk=java16_default,label=RHEL_any/artifact/report.txt
Comment 1 Julian Coleman 2010-12-22 15:06:58 UTC 
The signing process for modeshape-client.jar fails with:

  /usr/bin/rpm-sign --jarsign --key="jbosscodesign2009" "./eds/modeshape/client/modeshape-client.jar"
  Error code: 500
  Error message:  jarsigner failed jarsigner: unable to sign jar: java.util.zip.ZipException: duplicate entry: META-INF/DEPENDENCIES

The duplicate entries in the jar are almost certainly caused because maven's "jar-with-dependencies"
plugin is used to build it and multiple (different) versions of some files are being included.

Running:

  unzip -l modeshape-client.jar | awk '{print $NF}' | sort | uniq -c | grep -v "1 "

shows:

      2 META-INF/DEPENDENCIES
      5 META-INF/LICENSE
      4 META-INF/NOTICE
      3 META-INF/services/javax.ws.rs.ext.Providers

and the files are different:

      996  08-11-09 20:51   META-INF/DEPENDENCIES
      258  06-21-09 13:08   META-INF/DEPENDENCIES

    11358  08-11-09 20:51   META-INF/LICENSE
    11358  06-21-09 13:08   META-INF/LICENSE
    10766  04-20-09 18:50   META-INF/LICENSE
    11358  11-19-07 00:16   META-INF/LICENSE
    11366  03-30-10 23:14   META-INF/LICENSE

      163  08-11-09 20:51   META-INF/NOTICE
      161  06-21-09 13:08   META-INF/NOTICE
      541  11-19-07 00:16   META-INF/NOTICE
      160  03-30-10 23:14   META-INF/NOTICE

      966  11-23-09 09:38   META-INF/services/javax.ws.rs.ext.Providers
      436  11-23-09 09:39   META-INF/services/javax.ws.rs.ext.Providers
      202  11-23-09 09:39   META-INF/services/javax.ws.rs.ext.Providers
Comment 2 Julian Coleman 2010-12-22 15:07:38 UTC 
Link: Added: This issue is related to SOA-2359
Comment 3 Julian Coleman 2010-12-22 15:09:15 UTC 
Link: Added: This issue depends JBDS-1312
Comment 4 Anne-Louise Tangring 2011-01-03 20:07:11 UTC 
Please set affects version. Thanks.
Comment 5 Dana Mison 2011-01-05 00:14:43 UTC 
Writer: Added: dlesage
Comment 6 Van Halbert 2011-01-09 20:06:21 UTC 
Changes have been committed to the 2.2.x modeshape product branch.    The changes will rename the duplicate files for NOTICES, LICENSE, and DEPENDENCIES to  append the name of the jar it came from (i.e., LICENSE_httpcore.txt).   Also, the 3 javax.ws.rs.ext.Providers duplicate properties files will be appended to create a single properties file.

If I can get locally soa built modeshape-client.jar (at http://mm18-5.mm.atl2.redhat.com/stlshare/van/modeshape-client.jar) signed to verify it succeeds, it would be appreciated.
Comment 8 Martin Vecera 2011-01-27 14:16:39 UTC 
Link: Added: This issue depends SOA-2848
Comment 9 David Le Sage 2011-02-04 05:06:00 UTC 
Release Notes Docs Status: Added: Not Required
Comment 10 Len DiMaggio 2011-02-07 17:27:37 UTC 
Verified fixed in ER9 build.