-
Bug
-
Resolution: Fixed
-
P4
-
jfx17
-
generic
-
generic
Add dependency verification to the Gradle builds of JavaFX on Linux, macOS, and Windows. The verification file documents the dependencies and guarantees the integrity of the JAR and POM files downloaded during the build.
SYSTEM / OS / JAVA RUNTIME INFORMATION
Ubuntu 20.04.2 LTS
$ uname -srm
Linux 5.4.0-67-generic x86_64
macOS 11.2.3 (Big Sur)
$ uname -srm
Darwin 20.3.0 x86_64
Microsoft Windows 10 Pro Version 10.0.19042
$ uname -srm
CYGWIN_NT-10.0 3.1.7(0.340/5/3) x86_64
Oracle OpenJDK 15.0.2
$ java --version
openjdk 15.0.2 2021-01-19
OpenJDK Runtime Environment (build 15.0.2+7-27)
OpenJDK 64-Bit Server VM (build 15.0.2+7-27, mixed mode, sharing)
STEPS TO REPRODUCE
Reproduce the problem in two steps:
1. Modify the JAR file of a dependency in the Gradle cache:
$ strip-nondeterminism $(find ~/.gradle -name ST4-4.1.jar)
2. Build JavaFX:
$ bash gradlew sdk jmods
I made a non-destructive change to the 'ST4-4.1.jar' file with the Linux 'strip-nondeterminism' command, which modifies the order and modification times of the files in the archive.
EXPECTED RESULTS
$ bash gradlew sdk jmods
...
> Task :graphics:generateGrammarSource FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':graphics:generateGrammarSource'.
> Dependency verification failed for configuration ':graphics:antlr'
One artifact failed verification: ST4-4.1.jar (org.antlr:ST4:4.1)
from repository MavenRepo
This can indicate that a dependency has been compromised.
Please carefully verify the checksums.
...
BUILD FAILED in 1s
5 actionable tasks: 2 executed, 3 up-to-date
ACTUAL RESULT
$ bash gradlew sdk jmods
...
BUILD SUCCESSFUL in 1m 41s
134 actionable tasks: 134 executed
SOURCE CODE FOR AN EXECUTABLE TEST CASE
None.
WORKAROUND
None.
SYSTEM / OS / JAVA RUNTIME INFORMATION
Ubuntu 20.04.2 LTS
$ uname -srm
Linux 5.4.0-67-generic x86_64
macOS 11.2.3 (Big Sur)
$ uname -srm
Darwin 20.3.0 x86_64
Microsoft Windows 10 Pro Version 10.0.19042
$ uname -srm
CYGWIN_NT-10.0 3.1.7(0.340/5/3) x86_64
Oracle OpenJDK 15.0.2
$ java --version
openjdk 15.0.2 2021-01-19
OpenJDK Runtime Environment (build 15.0.2+7-27)
OpenJDK 64-Bit Server VM (build 15.0.2+7-27, mixed mode, sharing)
STEPS TO REPRODUCE
Reproduce the problem in two steps:
1. Modify the JAR file of a dependency in the Gradle cache:
$ strip-nondeterminism $(find ~/.gradle -name ST4-4.1.jar)
2. Build JavaFX:
$ bash gradlew sdk jmods
I made a non-destructive change to the 'ST4-4.1.jar' file with the Linux 'strip-nondeterminism' command, which modifies the order and modification times of the files in the archive.
EXPECTED RESULTS
$ bash gradlew sdk jmods
...
> Task :graphics:generateGrammarSource FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':graphics:generateGrammarSource'.
> Dependency verification failed for configuration ':graphics:antlr'
One artifact failed verification: ST4-4.1.jar (org.antlr:ST4:4.1)
from repository MavenRepo
This can indicate that a dependency has been compromised.
Please carefully verify the checksums.
...
BUILD FAILED in 1s
5 actionable tasks: 2 executed, 3 up-to-date
ACTUAL RESULT
$ bash gradlew sdk jmods
...
BUILD SUCCESSFUL in 1m 41s
134 actionable tasks: 134 executed
SOURCE CODE FOR AN EXECUTABLE TEST CASE
None.
WORKAROUND
None.
- relates to
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
