Content signed with an expired certifcate after the expiration date is considered unsigned

[merks]

I will edit this description with additional details as they become available.

This issue affects all projects that sign jars, not just SimRel projects.

This issue directly related to the problem is already opened:

https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/4662

---

Here is a (hopefully correct) short list of affected projects:

• org.eclipse.cdt
• org.eclipse.cdt.mylyn.ui (Mylyn)
• org.eclipse.dltk
• org.eclipse.draw2d (GEF)
• org.eclipse.eclemma
• org.eclipse.egit
• org.eclipse.emf.parsley
• org.eclipse.gef
• org.eclipse.launchbar (CDT)
• org.eclipse.lsp4e
• org.eclipse.mylyn
• org.eclipse.ocl
• org.eclipse.papyrus
• org.eclipse.qvt
• org.eclipse.qvtd
• org.eclipse.rap
• org.eclipse.remote (CDT)
• org.eclipse.tm (CDT)
• org.eclipse.tracecompass
• org.eclipse.wildwebdeveloper
• org.eclipse.zest (GEF)

---

The signing certificate expired May 21, 2024:

Any content signed with this certificate after that date is considered unsigned, e.g.,

$/c/Program\ Files/Java/jdk-21.0.2+13/bin/jarsigner.exe  -verbose -verify /d/stuff/org.eclipse.e4.ui.dialogs_1.5.0.v20240424-0957.jar

s       4608 Wed Apr 24 22:09:26 CEST 2024 META-INF/MANIFEST.MF
        3961 Wed Apr 24 22:09:26 CEST 2024 META-INF/ECLIPSE_.SF
        9554 Wed Apr 24 22:09:26 CEST 2024 META-INF/ECLIPSE_.RSA
           0 Wed Apr 24 22:09:24 CEST 2024 META-INF/
           0 Wed Apr 24 22:09:24 CEST 2024 org/
           0 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/
           0 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/
           0 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/
           0 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/dialogs/
           0 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/dialogs/filteredtree/
           0 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/dialogs/textbundles/
           0 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/
           0 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/dialogs/
           0 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/dialogs/about/
           0 Wed Apr 24 22:09:24 CEST 2024 icons/
           0 Wed Apr 24 22:09:24 CEST 2024 icons/full/
           0 Wed Apr 24 22:09:24 CEST 2024 icons/full/dtool16/
           0 Wed Apr 24 22:09:24 CEST 2024 icons/full/etool16/
sm      2520 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/dialogs/filteredtree/BasicUIJob.class
sm     13542 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/dialogs/filteredtree/FilteredTree.class
sm      3362 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/dialogs/filteredtree/FilteredTree$NotifyingTreeViewer.class
sm      1397 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/dialogs/filteredtree/FilteredTree$5.class
sm      1199 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/dialogs/filteredtree/FilteredTree$4.class
sm      2604 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/dialogs/filteredtree/FilteredTree$2.class
sm      1270 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/dialogs/filteredtree/FilteredTree$3.class
sm      4743 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/dialogs/filteredtree/FilteredTree$1.class
sm      7594 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/dialogs/filteredtree/PatternFilter.class
sm      1258 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/dialogs/textbundles/E4DialogMessages.class
sm      1663 Wed Apr 24 22:03:14 CEST 2024 org/eclipse/e4/ui/dialogs/textbundles/messages.properties
sm      9637 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/dialogs/about/AboutDialogE4.class
sm      1838 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/dialogs/about/AboutText$1.class
sm     11033 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/dialogs/about/AboutText.class
sm      2222 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/dialogs/about/AboutText$2.class
sm      4111 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/dialogs/about/BrandingProperties.class
sm      2556 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/dialogs/about/HyperlinkExtractor.class
sm       719 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/dialogs/about/HyperlinkRange.class
sm       421 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/dialogs/about/IProductConstants.class
sm      1911 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/dialogs/about/ParsedAbout.class
sm      2617 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/dialogs/about/ProductInformation.class
sm      7441 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/dialogs/about/ProductProperties.class
sm      1084 Wed Apr 24 22:09:24 CEST 2024 org/eclipse/e4/ui/internal/dialogs/about/UnavailableProduct.class
sm       397 Wed Apr 24 22:03:14 CEST 2024 icons/full/dtool16/clear_co.png
sm       755 Wed Apr 24 22:03:14 CEST 2024 icons/full/dtool16/clear_co@2x.png
sm       463 Wed Apr 24 22:03:14 CEST 2024 icons/full/etool16/clear_co.png
sm      1015 Wed Apr 24 22:03:14 CEST 2024 icons/full/etool16/clear_co@2x.png
sm       214 Wed Apr 24 22:09:24 CEST 2024 .api_description
sm      1460 Wed Apr 24 22:03:14 CEST 2024 about.html
sm       614 Wed Apr 24 22:03:14 CEST 2024 plugin.properties

  s = signature was verified
  m = entry is listed in manifest
  k = at least one certificate was found in keystore

- Signed by "EMAILADDRESS=webmaster@eclipse.org, CN="Eclipse.org Foundation, Inc.", OU=IT, O="Eclipse.org Foundation, Inc.", L=Ottawa, ST=Ontario, C=CA"
    Digest algorithm: SHA-256
    Signature algorithm: SHA384withRSA, 4096-bit key
  Timestamped by "CN=Symantec SHA256 TimeStamping Signer - G3, OU=Symantec Trust Network, O=Symantec Corporation, C=US" on Mi. Apr. 24 22:09:27 UTC 2024
    Timestamp digest algorithm: SHA-256
    Timestamp signature algorithm: SHA256withRSA, 2048-bit key

jar verified.

Warning:
This jar contains entries whose TSA certificate chain is invalid. Reason: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
POSIX file permission and/or symlink attributes detected. These attributes are ignored when signing and are not protected by the signature.

Re-run with the -verbose and -certs options for more details.

The signer certificate expired on 2024-05-22. However, the JAR will be valid until the timestamp expires on 2029-03-23.

---

We see SimRel staging is badly affected by this:

Note that some shown with strikeout and some are not. That's because some artifacts were signed by the certificate when it was still valid while others are signed by the certificate after is expired.

---

Here are JUnit-style test results:

https://ci.eclipse.org/simrel/job/simrel.oomph.repository-analyzer.test/lastCompletedBuild/testReport/

[cdietrich]

is there already a new cert available?

[Kellindil]

Hello,

I will assume this means we will have to rebuild all projects currently contributed to the simrel, even those which didn't plan new versions?

Laurent

[merks]

@cdietrich

No, I believe the new cert is not yet available.

---

@Kellindil

No, not all projects need to rebuild. It's perfectly find to have a jar signed with an expired signature as long as the siganature itself was produced within the certificates validity range. This is why I mentioned that some artifacts are in strikeout but some are not. I will collect a list of affected projects ASAP.

Please look for your artifacts in this list:

https://ci.eclipse.org/simrel/job/simrel.oomph.repository-analyzer.test/lastCompletedBuild/testReport/

[merks]

This is the impact on the users:

[mbarbero]

The certificate expired yesterday, so anything built and signed before should be valid.

There is ongoing work to update the certificate. However, this update is not routine because the secret key must now be stored on an HSM, a new requirement from the code-signing CA.

https://www.eclipsestatus.io/incident/373129

[iloveeclipse]

Please look for your artifacts in this list:

https://ci.eclipse.org/simrel/job/simrel.oomph.repository-analyzer.test/lastCompletedBuild/testReport/

It does not include org.eclipse.e4.ui.dialogsmentioned in your error above.
Can we get a report for the platform somewhere?

[merks]

@iloveeclipse

I think you already noticed that I provided the platform-specific report here:

• Declare 4.32 RC1 eclipse-platform/eclipse.platform.releng.aggregator#2044 (comment)
• https://ci.eclipse.org/oomph/job/repository-analyzer/lastCompletedBuild/testReport/

The Platform's M3 contribution was last Friday, so that content is not a problem; the Platform's own pend RC1 candidate content is a problem.

[akurtakov]

I wonder is it possible for simrel verification to fail if contributed artifacts contain bad signature?

[pcdavid]

Shouldn't signing itself fail if the certificate is expired?

[Bralic]

If possible, of course, that'd be nice.

[merks]

@akurtakov

Right now the verification only uses the p2 planner to ensure there is a solution. Checking all the artifact signatures could be done by the aggregation step, which takes much longer. Right now actual testing of signatures is done by Oomph's repository analyzer as done by this job:

https://ci.eclipse.org/simrel/job/simrel.oomph.repository-analyzer.test/

Unfortunately that didn't send me an email because it didn't actually fail. 😞

The Platform's content verification sent me an email this morning so that's what I noticed first. Of course I check the report before promoting the content so that's what I noticed second.

---

Several factors contributed to this problem. Proactively updating the certificates would prevent all these problems. The signer verifying that the artifact is really properly signed would help catch that oversight when that proactive update hasn't taken place. Projects using the Oomph analyzer themselves would also catch this problem. And finally my complacency also contributed. That's because the aggregation builds PGP signs everything that is unsigned thanks to Tycho's support for PGP signing with skipIfJarsignedAndAnchored. So I generally never expect to see a signing failures for SimRel because that feature always kicks in. Unfortunately that Tycho feature does not call org.eclipse.osgi.signedcontent.SignedContent.checkValidity(SignerInfo) as part of signature checking, so it did not notice that this content, while signed, is not actually considered signed because it's not signed validly. Blah, blah, blah. I'm working to fix that Tycho problem and @laeubi already planned a new Tycho release for tomorrow, so I'm trying to get that in ASAP.

[Bralic]

Thank you for all this information! Very instructive!
And of course all the effort.

[merks]

FYI, I added this content to the start of this issue:

---

Here is a (hopefully correct) short list of affected projects:

• org.eclipse.cdt
• org.eclipse.draw2d (GEF)
• org.eclipse.eclemma
• org.eclipse.egit
• org.eclipse.emf.parsley
• org.eclipse.gef
• org.eclipse.launchbar (CDT)
• org.eclipse.mylyn
• org.eclipse.ocl
• org.eclipse.papyrus
• org.eclipse.qvtd
• org.eclipse.rap
• org.eclipse.remote (CDT)
• org.eclipse.tm (CDT)
• org.eclipse.tracecompass
• org.eclipse.zest (GEF)

[iloveeclipse]

Here is a (hopefully correct) short list of affected projects:

What about Platform?