Recent versions of Java, including the most recent Java 17 release, now consider some bundles to be unsigned

[merks]

In particular this issue has kicked in

https://www.oracle.com/java/technologies/javase/17-relnote-issues.html#JDK-8196415

As a result, everything signed by this certificate between January 1, 2019 and when it expired is treated as unsigned:

For the platform specifically, this repository content of the most recent 4.26 I-Build is treated as unsigned:

https://download.eclipse.org/oomph/archive/reports-extra/4.26-I-builds/download.eclipse.org/eclipse/updates/4.26-I-builds/I20221109-1850/index.html

This includes many Orbit bundles, which needs to be fixed in Orbit, but also these platform project bundles:

I assume these would need to be touched to force a new version.

CC @akurtakov @jonahgraham @sravanlakkimsetti

[akurtakov]

I'll start version bumping them (touch is not enough as it will bump only qualifier).

[merks]

Thank you * 💯

[akurtakov]

I hope I did it all. Please tell if there is anything left after the next build is analyzed.

[merks]

I will keep an eye out for a new build and provide feedback.

[merks]

Only Obit things left now:

One potential problem I noticed with split-package signatures:

1. org.osgi.service.component.annotations
   • [org.eclipse.osgi.services 3.11.100.v20221006-1531, org.osgi.service.component.annotations 1.5.0.202109301733]
   • {CN=Eclipse.org Foundation, Inc., OU=IT, O=Eclipse.org Foundation, Inc., L=Ottawa, ST=Ontario, from=2022-05-02, to=2024-05-22}
   • unsigned

I think it's best to open a new issue for that.

[merks]

@akurtakov I opened this as a follow up:

eclipse-equinox/equinox#157

[merks]

@akurtakov

I overlooked that org.eclipse.equinox.simpleconfigurator.manipulator is still in the list. 😢

[merks]

I'll look to provide a PR...

[merks]

@akurtakov

Another thing I overlooked 😱 is that we are pulling content from a very old version of Orbit for bundles that have not been migrated to recipes...

https://download.eclipse.org/tools/orbit/downloads/drops/R20201118194144/repository

Most of that content suffers from this signing problem:

https://download.eclipse.org/oomph/archive/reports-extra/orbit-platform/download.eclipse.org/tools/orbit/downloads/drops/R20201118194144/repository/index.html

Only if we PGP sign these bundles will the problem be resolved.

So I think all the ones list here:

eclipse.platform.releng.aggregator/eclipse.platform.releng.prereqs.sdk/eclipse-sdk-prereqs.target

Lines 50 to 88 in e1890a4

	<location includeAllPlatforms="true" includeMode="slicer" type="InstallableUnit">
	<unit id="com.sun.el" version="2.2.0.v201303151357"/>
	<unit id="com.sun.el.source" version="2.2.0.v201303151357"/>
	<!-- Upstream artifact from Maven Central misses OSGi info, stick to Orbit variant -->
	<unit id="javax.el" version="2.2.0.v201303151357"/>
	<unit id="javax.el.source" version="2.2.0.v201303151357"/>
	<unit id="javax.servlet.jsp" version="2.2.0.v201112011158"/>
	<unit id="javax.servlet.jsp.source" version="2.2.0.v201112011158"/>
	<unit id="org.apache.jasper.glassfish" version="2.2.2.v201501141630"/>
	<unit id="org.apache.jasper.glassfish.source" version="2.2.2.v201501141630"/>
	<unit id="org.w3c.css.sac" version="1.3.1.v200903091627"/>
	<unit id="org.w3c.css.sac.source" version="1.3.1.v200903091627"/>
	<unit id="org.w3c.dom.events" version="3.0.0.draft20060413_v201105210656"/>
	<unit id="org.w3c.dom.events.source" version="3.0.0.draft20060413_v201105210656"/>
	<unit id="org.w3c.dom.smil" version="1.0.1.v200903091627"/>
	<unit id="org.w3c.dom.smil.source" version="1.0.1.v200903091627"/>
	<unit id="org.w3c.dom.svg" version="1.1.0.v201011041433"/>
	<unit id="org.w3c.dom.svg.source" version="1.1.0.v201011041433"/>
	<!-- part of e4 ui tools. See bug 422102 -->
	<!-- Has Maven deps on non-OSGi jdom, cannot easily use Maven artifact yet -->
	<unit id="org.apache.commons.jxpath" version="1.3.0.v200911051830"/>
	<unit id="org.apache.commons.jxpath.source" version="1.3.0.v200911051830"/>
	<!-- RedDeer deps-->
	<unit id="org.json" version="1.0.0.v201011060100"/>
	<!-- This is the last build of the CVS sourced Orbit repository - this was a subrepo of the recommended Orbit
	for 2022-03. Due to Bug 568936 this is not included in 2022-06 recommended Orbit repos and beyond.
	The intention is to migrate the above (where possible) to newer sources, such as pulling from
	maven central. -->
	<repository location="https://download.eclipse.org/tools/orbit/downloads/drops/R20201118194144/repository/"/>
	</location>

Would need to be listed here:

eclipse.platform.releng.aggregator/eclipse.platform.releng.tychoeclipsebuilder/pom.xml

Lines 48 to 51 in e1890a4

	<forceSignature>
	<bundle>bcpg</bundle>
	<bundle>bcprov</bundle>
	</forceSignature>

What do you think?

[merks]

@akurtakov I'm not asking you to do anything just asking your opinion. The latest test report:

https://download.eclipse.org/oomph/archive/reports-extra/4.26-I-builds/download.eclipse.org/eclipse/updates/4.26-I-builds/I20221117-1330/index.html

Shows these remaining issues:

We could force PGP sign these. Should we?

[mickaelistria]

We could force PGP sign these. Should we?

+1 for that.

[merks]

@mickaelistria Thank goodness we improved p2 to support the verification of this during that last release and that you did the Tycho stuff to generate it too!!

[merks]

The report is now clean:

https://download.eclipse.org/oomph/archive/reports-extra/4.26-I-builds/download.eclipse.org/eclipse/updates/4.26-I-builds/I20221118-1800/index.html