Source: fdroidserver Version: 2.0.3-1 Severity: important Hi, with the latest security update of openjdk-11 in stable (which updated from 11.0.6 to 11.0.8, as we're following the Java LTS releases), the autopkgtest of fdroidserver fails.
This seems caused by the "Disabled SHA-1 Signed JARs (JDK-8269039)" change listed here: https://www.oracle.com/java/technologies/javase/11-0-17-relnotes.html Full logs can be found at https://ci.debian.net/packages/f/fdroidserver/stable/amd64/, but relevant excerpt below. Cheers, Moritz ====================================================================== ERROR: test_verify_jar_signature_succeeds (__main__.CommonTest) ---------------------------------------------------------------------- Traceback (most recent call last): File "/tmp/autopkgtest-lxc.n2jjmjhl/downtmp/build.D3f/src/fdroidserver/common.py", line 3223, in verify_jar_signature output = subprocess.check_output([config['jarsigner'], '-strict', '-verify', jar], File "/usr/lib/python3.9/subprocess.py", line 424, in check_output return run(*popenargs, stdout=PIPE, timeout=timeout, check=True, File "/usr/lib/python3.9/subprocess.py", line 528, in run raise CalledProcessError(retcode, process.args, subprocess.CalledProcessError: Command '['/usr/bin/jarsigner', '-strict', '-verify', '/tmp/autopkgtest-lxc.n2jjmjhl/downtmp/build.D3f/src/tests/signindex/testy.jar']' returned non-zero exit status 16. During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/tmp/autopkgtest-lxc.n2jjmjhl/downtmp/build.D3f/src/tests/common.TestCase", line 435, in test_verify_jar_signature_succeeds fdroidserver.common.verify_jar_signature(testfile) File "/tmp/autopkgtest-lxc.n2jjmjhl/downtmp/build.D3f/src/fdroidserver/common.py", line 3230, in verify_jar_signature raise VerificationException(error + '\n' + e.output.decode('utf-8')) fdroidserver.exception.VerificationException: JAR signature failed to verify: /tmp/autopkgtest-lxc.n2jjmjhl/downtmp/build.D3f/src/tests/signindex/testy.jar The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled. Re-run jarsigner with the -verbose option for more details.
