DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=26083>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=26083 ------- Additional Comments From [EMAIL PROTECTED] 2006-04-26 12:46 ------- (In reply to comment #3) > I think the underlying problem of #2 here is that Ant doesnt let you merge > signed JARs. Is this correct? No, ant supports merging jars into one jar by using the mentioned zipgroufileset independent, if the jar is signed or not. With parameter "duplicate" you can decide, how to handle duplicates (in any directory) and with parameter "filesetmanifest" the merging (or not) of included manifest files, which is somehow buggy or incomplete, but not my problem, because the manifest is regenerated on signing the newly created archive. > > 1. what is the task declaration you are using <jar destfile="${libraryname}" duplicate="preserve"> <zipgroupfileset dir="${dist}/${lib}" includes="*.jar,*.JAR,*.zip,*.ZIP" > <selector refid="extlibs.excludes"/> <!-- exclude some libs ever --> </zipgroupfileset> </jar> > 2. is it that the source files (e.g. activation) are signed? Yes, some of the source jars are signed, some not. I can't check to handle them differently. > > It seems that security may have to be handled specially, perhaps by > (a) not merging security stuff; knowing about signatures and things and > excluding them Yes. Because ant does not support excludes inside a zipgroupfileset (as requested in Bugzilla ID#34403), I created a workaround to remove the disturbing security files by repacking the created jar excluding stuff, that I donot want: <tempfile property="templib" destdir="@{destination}"/> <move tofile="${templib}" file="@{destination}/@{libraryname}"/> <zip file="@{destination}/@{libraryname}"> <zipfileset src="${templib}"> <exclude name="META-INF/*.SF"/> </zipfileset> </zip> <delete file="${templib}" quiet="true"/> > (b) somehow treating security stuff specially and doing the correct merging > so > that packages/classes that were signed in the source are still signed in the > merged file. Seems to be problematic, because a signed jar must be signed at the whole and can not be signed partially with different signers, as I know. Correct? > > the fact that there is no good API to check if a JAR/class is signed makes > testing (b) that much harder. Agreed. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
