Since the update from 1:11.0.8.10-1.fc33 to 1:11.0.9.1-0.1.ea.fc33, running jarsigner in a unit test in ant fails. Excerpt from junit test output from ant builds on rawhide / f33: [junit] Testcase: testSignedJar(org.apache.tools.ant.AntClassLoaderTest): Caused an ERROR [junit] jarsigner returned: 1 [junit] /builddir/build/BUILD/apache-ant-1.10.8/src/etc/testcases/core/antclassloader.xml:70: jarsigner returned: 1 [junit] [junit] TEST org.apache.tools.ant.AntClassLoaderTest FAILED [junit] Testsuite: org.apache.tools.ant.CaseTest [junit] Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.059 sec I have no idea why the jarsigner command might suddenly start to fail on such a minor update ... the only hint from a previous successful build might be this warning for the same test case: [junit] WARNING: multiple versions of ant detected in path for junit [junit] file:/builddir/build/BUILD/apache-ant-1.10.8/build/classes/org/apache/tools/ant/Project.class [junit] and jar:file:/usr/share/java/ant/ant.jar!/org/apache/tools/ant/Project.class [junit] Testsuite: org.apache.tools.ant.AntClassLoaderTest [junit] Tests run: 10, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 2.815 sec
Fabio, do you have a reference to the failing test? These builds seem to be fine (as before; with 11.0.9+1): https://koji.fedoraproject.org/koji/buildinfo?buildID=1598746 https://koji.fedoraproject.org/koji/buildinfo?buildID=1598740
Those builds were submitted with a workaround for this bug. https://src.fedoraproject.org/rpms/ant/c/6fecb9b15a7080adca0128e29cd91058f6f0880f?branch=master
OK. Thanks.
This is being caused by JDK-8233228 which is in JDK 11.0.9+1 and better. Commenting out the jdk.disabled.namedCurves property in java.security "fixes" the test.
So the keystore used for the signing tests use insecure algorithms: $ keytool -keystore src/etc/testcases/testkeystore -storepass apacheant -list Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries test@nly, 19-Sep-2008, PrivateKeyEntry, Certificate fingerprint (SHA1): 60:D0:F6:D4:0A:76:7C:A3:08:12:8F:E3:B0:62:84:7E:16:59:A4:F7 testonly, 23-Dec-2002, PrivateKeyEntry, Certificate fingerprint (SHA1): C0:2C:C5:F1:E4:A2:92:B9:87:FF:0D:E6:EB:B6:A5:35:B4:BC:E0:DE Warning: <test@nly> uses the SHA1withDSA signature algorithm which is considered a security risk. <test@nly> uses a 1024-bit DSA key which is considered a security risk. <testonly> uses the SHA1withDSA signature algorithm which is considered a security risk. <testonly> uses a 1024-bit DSA key which is considered a security risk.
Here is a reproducer: Actual: $ /usr/lib/jvm/java-11-openjdk/bin/jarsigner -J-showversion -keystore src/etc/testcases/testkeystore -storepass apacheant -signedjar y.jar build/lib/ant.jar test@nly openjdk version "11.0.9-ea" 2020-10-20 OpenJDK Runtime Environment 18.9 (build 11.0.9-ea+4) OpenJDK 64-Bit Server VM 18.9 (build 11.0.9-ea+4, mixed mode) Exception in thread "main" java.lang.ExceptionInInitializerError Caused by: java.lang.IllegalArgumentException: Error in security property. Constraint unknown: c2tnb191v1 at java.base/sun.security.util.DisabledAlgorithmConstraints$Constraints.<init>(DisabledAlgorithmConstraints.java:376) at java.base/sun.security.util.DisabledAlgorithmConstraints.<init>(DisabledAlgorithmConstraints.java:125) at java.base/sun.security.util.DisabledAlgorithmConstraints.<init>(DisabledAlgorithmConstraints.java:92) at jdk.jartool/sun.security.tools.jarsigner.Main.<clinit>(Main.java:98) Expected: $ /usr/lib/jvm/java-11-openjdk/bin/jarsigner -J-showversion -keystore src/etc/testcases/testkeystore -storepass apacheant -signedjar y.jar build/lib/ant.jar test@nly openjdk version "11.0.8" 2020-07-14 OpenJDK Runtime Environment 18.9 (build 11.0.8+10) OpenJDK 64-Bit Server VM 18.9 (build 11.0.8+10, mixed mode, sharing) jar signed. Warning: The signer's certificate is self-signed.
Assigning this bug to Andrew.
It needs the same fix as we did for java-latest-openjdk: https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3788 https://src.fedoraproject.org/rpms/java-latest-openjdk/c/02b4241e5019d091945ab11c9607f90ecf02b385?branch=master
Should be resolved by this change: https://src.fedoraproject.org/rpms/java-11-openjdk/c/2a70366ba716e30e57e05964db6e313120c160ac?branch=master https://koji.fedoraproject.org/koji/buildinfo?buildID=1610999
Closing. Re-open if there is still an issue with the 11.0.9+6 update.
*** Bug 1868074 has been marked as a duplicate of this bug. ***
FEDORA-2020-9d701908f6 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-234e373139 has been pushed to the Fedora ELN stable repository. If problem still persists, please make note of it in this bug report.
Thank you! Will test if it fixes the ant test failures shortly. Will this update be eventually pushed to f33 as well?
(In reply to Fabio Valentini from comment #16) > Thank you! Will test if it fixes the ant test failures shortly. > Will this update be eventually pushed to f33 as well? Hmm, looks like 11.0.9+1 EA made it into F33. So we'll have no other choice but to create an update. Not sure if we can untag 11.0.9+1 EA from F33? Thing is, 11.0.9 GA is scheduled for October 20, 2020 which sort of clashes with F33 GA. We plan on bringing 11.0.9 GA to all stable Fedora versions. EA is intended for rawhide only, but it seems to have clashed with F33 branching. 11.0.9+1 in F33 is definitely broken so we need to get at least 11.0.9+6 in until the GA version hits for F33. Thoughts?
Both +1 and +6 are pre-releases, right? So with the GA for 11.0.9 still being pending for over a month, I think there's no harm in pushing this update to fedora 33 as well. At least this way, the buggy +1 version will not be shipped with fedora 33 images, even if the 11.0.9 GA won't make it in in time. :)
Before: # /usr/lib/jvm/java-11-openjdk/bin/jarsigner -J-showversion -keystore src/etc/testcases/testkeystore -storepass apacheant -signedjar y.jar build/lib/ant.jar test@nly openjdk version "11.0.9-ea" 2020-10-20 OpenJDK Runtime Environment 18.9 (build 11.0.9-ea+4) OpenJDK 64-Bit Server VM 18.9 (build 11.0.9-ea+4, mixed mode) Exception in thread "main" java.lang.ExceptionInInitializerError Caused by: java.lang.IllegalArgumentException: Error in security property. Constraint unknown: c2tnb191v1 at java.base/sun.security.util.DisabledAlgorithmConstraints$Constraints.<init>(DisabledAlgorithmConstraints.java:376) at java.base/sun.security.util.DisabledAlgorithmConstraints.<init>(DisabledAlgorithmConstraints.java:125) at java.base/sun.security.util.DisabledAlgorithmConstraints.<init>(DisabledAlgorithmConstraints.java:92) at jdk.jartool/sun.security.tools.jarsigner.Main.<clinit>(Main.java:98) After: # /usr/lib/jvm/java-11-openjdk/bin/jarsigner -J-showversion -keystore src/etc/testcases/testkeystore -storepass apacheant -signedjar y.jar build/lib/ant.jar test@nly openjdk version "11.0.9-ea" 2020-10-20 OpenJDK Runtime Environment 18.9 (build 11.0.9-ea+6) OpenJDK 64-Bit Server VM 18.9 (build 11.0.9-ea+6, mixed mode) jar signed. Warning: The signer's certificate is self-signed. The DSA signing key has a keysize of 1024 which is considered a security risk. This key size will be disabled in a future update. I'll get 11.0.9+6 ported to F33.
(In reply to Fabio Valentini from comment #18) > Both +1 and +6 are pre-releases, right? Yes. > So with the GA for 11.0.9 still > being pending for over a month, I think there's no harm in pushing this > update to fedora 33 as well. At least this way, the buggy +1 version will > not be shipped with fedora 33 images, even if the 11.0.9 GA won't make it in > in time. :) Agreed.
Thanks! I can now also confirm that this is fixed in rawhide - I was able to remove the workarounds from the ant test suite.
I think F33 needs to be rolled back to 11.0.8. We shouldn't ship F33 with a pre-release.
(In reply to Andrew John Hughes from comment #22) > I think F33 needs to be rolled back to 11.0.8. We shouldn't ship F33 with a > pre-release. It's too late for that, since the update was already pushed to stable. The only way would be to introduce an Epoch bump to "Epoch: 2" in f33 and rawhide and force a downgrade that way. With the current rate of f33 development, I guess the release will slip by at least one week anyway, so there should be time to get 11.0.9 GA into the final image with a freeze exception for the final freeze. At worst, f33 will ship with a "late" pre-release and the 11.0.9 GA will be shipped as an update on day zero.
*** Bug 1877348 has been marked as a duplicate of this bug. ***
FEDORA-2020-76ec02b59d has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-76ec02b59d
(In reply to Fabio Valentini from comment #23) > (In reply to Andrew John Hughes from comment #22) > > I think F33 needs to be rolled back to 11.0.8. We shouldn't ship F33 with a > > pre-release. > > It's too late for that, since the update was already pushed to stable. > The only way would be to introduce an Epoch bump to "Epoch: 2" in f33 and > rawhide and force a downgrade that way. > > With the current rate of f33 development, I guess the release will slip by > at least one week anyway, so there should be time to get 11.0.9 GA into the > final image with a freeze exception for the final freeze. At worst, f33 will > ship with a "late" pre-release and the 11.0.9 GA will be shipped as an > update on day zero. Yes, I realised after my comment that Fedora is effectively both release-based and a rolling release (i.e rawhide is public), so we can't do what we would do in RHEL and rollback y-stream. It looks like we'll have to keep both java-1.8.0-openjdk & java-11-openjdk up-to-date with the upcoming releases in F33 as well as rawhide, as both received EA versions before branching. Let's avoid this in future though.
FEDORA-2020-76ec02b59d has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-76ec02b59d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-76ec02b59d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-76ec02b59d has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.