Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MSHADE-147: Add flag to disable jar signing verification #122

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

gzsombor
Copy link
Member

@gzsombor gzsombor commented Feb 24, 2022

This is the rebased fix for https://issues.apache.org/jira/browse/MSHADE-147.
The problem is, that certain jar files has an incorrect signature, so the shade plugin couldn't even open it.
The solution for this, is a flag, which can disable this jar verification optionally.

Following this checklist to help us incorporate your
contribution quickly and easily:

  • Make sure there is a JIRA issue filed
    for the change (usually before you start working on it). Trivial changes like typos do not
    require a JIRA issue. Your pull request should address just this issue, without
    pulling in other changes.
  • Each commit in the pull request should have a meaningful subject line and body.
  • Format the pull request title like [MSHADE-XXX] - Fixes bug in ApproximateQuantiles,
    where you replace MSHADE-XXX with the appropriate JIRA issue. Best practice
    is to use the JIRA issue title in the pull request title and in the first line of the
    commit message.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Run mvn clean verify to make sure basic checks pass. A more thorough check will
    be performed on your pull request automatically.
  • You have run the integration tests successfully (mvn -Prun-its clean verify).

If your pull request is about ~20 lines of code you don't need to sign an
Individual Contributor License Agreement if you are unsure
please ask on the developers list.

To make clear that you license your contribution under
the Apache License Version 2.0, January 2004
you have to acknowledge this by using the following check-box.

@gnodet
Copy link
Contributor

gnodet commented Oct 19, 2022

A test would be welcomed.

@mauro-rizzi-DSP
Copy link

mauro-rizzi-DSP commented May 24, 2024

Hey i'm running into this trying to shade one of my projects and I think not only this should be finished and we should get the option to avoid this but we also need the logging to be more than a generic "Invalid signature file digest for Manifest main attributes". If you're going to tell me one or more of my dependencies has an invalid signature you should at least tell me which ones so I can take action over that instead of filtering out the signature files of all my dependencies as if they had no use

@Ghost-chu
Copy link

This should be merged, I'm having the same problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants