New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrading Conscrypt to 2.5.1 #7342
Conversation
…es in the ALTS code. (cl/308901367)" This reverts commit a7bca23.
Both MacOS and Windows failed with
but why? |
We need to be careful and make sure not to squash this when merging. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at the Windows build, where we can download the
|
It looks like the conscrypt-openjdk-uber.jar is broken. I don't see signatures in the MANIFEST.MF. I do see them in 2.2.1, but they are missing in 2.4.0 and 2.5.0. It looks like the new release system is broken. I don't see an issue filed for Conscrypt, so I don't know whether this means very few people upgraded Conscrypt to 2.4.0+ or very few people are using Oracle's JRE since they became a PITA to use. It's unclear if we should consider this a blocker for upgrading Conscrypt. |
Eric, thank you for the investigation. So this is caused by the Conscrypt JAR which was not correctly signed on Windows and Mac. But Android and Linux were done correctly. Right? BTW, I'll keep the commits. |
@prbprbprb Can you check this? If uber package is actually broken, it probably needs the new release to fix it. |
One thing that I can do is splitting this PR to revert #7049 only first and bump the Conscrypt to 2.5.0 or later. From this, at least we can benefit the recent optimizations on Linux by upgrading Conscrypt to 2.5.0 separately. |
Link to #6684. That can be closed once this is merged. |
No. All of them are broken. What happened is we are using OpenJDK on Linux, which is fine with this. If we used Oracle JRE on Linux it would have failed there too. I'm not 100% confident about that, but that's what it's been like in the past when this happened.
Nope. I think it is busted on Linux as well, if you use Oracle JRE. |
Sorry for the slow update! Yes, indeed it looks all the artifacts for 2.4.0 and 2.5.0 are completely unsigned (despite re-assuring output from Gradle when publishing them). It's a little surprising that nobody noticed before and we'll certainly add something to our release checklist to prevent this happening again. Looking at a fix now. @kruton FYI |
@prbprbprb, Gradle supports class signing in META-INF? I don't see any documentation for that. The most common signing for gradle is creating asc files for the artifacts, which is required for Maven Central. So the JAR is signed, but not the class files 😄 |
Nope. Historically Conscrypt has done this with a hook which uses |
@prbprbprb Thanks! Once 2.5.1 shows up on the maven repo, I'll update this PR to have 2.5.1 and see whether it passes the tests! |
Conscrypt 2.5.1 is built for openjdk and currently going through the Maven Central release process. Android and Uberjar builds will follow later this evening, but you should at least be able to pick this one up soon. (And yes, I double-checked all the jars had signature data in their META-INF before hitting "release" ;) |
7748160
to
4057614
Compare
2.5.1 is passing all the tests! Merging! |
This PR has two things;