ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 26083] - Problems with zipgroupfileset
Date Wed, 26 Apr 2006 12:46:55 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=26083>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=26083





------- Additional Comments From wolfgang.brodowski@gebit.de  2006-04-26 12:46 -------
(In reply to comment #3)
> I think the underlying problem of #2 here is that Ant doesnt let you merge
> signed JARs. Is this correct? 

No, ant supports merging jars into one jar by using the mentioned zipgroufileset
independent, if the jar is signed or not. With parameter "duplicate" you can
decide, how to handle duplicates (in any directory) and with parameter
"filesetmanifest" the merging (or not) of included manifest files, which is
somehow buggy or incomplete, but not my problem, because the manifest is
regenerated on signing the newly created archive.

> 
> 1. what is the task declaration you are using
<jar destfile="${libraryname}" duplicate="preserve">
    <zipgroupfileset dir="${dist}/${lib}" includes="*.jar,*.JAR,*.zip,*.ZIP" >
    	<selector refid="extlibs.excludes"/> <!-- exclude some libs ever -->
    </zipgroupfileset>
</jar>


> 2. is it that the source files (e.g. activation) are signed?

Yes, some of the source jars are signed, some not. I can't check to handle them
differently.

> 
> It seems that security may have to be handled specially, perhaps by
>  (a) not merging security stuff; knowing about signatures and things and
> excluding them

Yes. Because ant does not support excludes inside a zipgroupfileset (as
requested in Bugzilla ID#34403), I created a workaround to remove the disturbing
security files by repacking the created jar excluding stuff, that I donot want:

<tempfile property="templib" destdir="@{destination}"/>
<move tofile="${templib}" file="@{destination}/@{libraryname}"/>
<zip file="@{destination}/@{libraryname}">
	<zipfileset src="${templib}">
		<exclude name="META-INF/*.SF"/>			
	</zipfileset>
</zip>
<delete file="${templib}" quiet="true"/>

>  (b) somehow treating security stuff specially and doing the correct merging so
> that packages/classes that were signed in the source are still signed in the
> merged file.

Seems to be problematic, because a signed jar must be signed at the whole and
can not be signed partially with different signers, as I know. Correct?

> 
> the fact that there is no good API to check if a JAR/class is signed makes
> testing (b) that much harder.

Agreed.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message