Inconsistent sha512 sum in snapshot site

[mickaelistria]

Discussed in #1485

^{Originally posted by jcompagner March 6, 2024}
when i want to update to:

Wild Web Developer HTML, CSS, JSON, Yaml, JavaScript, TypeScript, Node tools 1.3.4.202402272001

i get:

An error occurred while collecting items to be installed
session context was:(profile=SDKProfile, phase=org.eclipse.equinox.internal.p2.engine.phases.Collect, operand=, action=).
Problems downloading artifact: osgi.bundle,org.eclipse.wildwebdeveloper,1.1.5.202402272001.
SHA-512 hash is not as expected. Expected: 9e75fc48a51ffa9635c01e72dc02c5f41193c9c8a3efe9a273c4d069240814bf664114734de7cfa9ff514ba3841336d2c4343390340262ad6c3c01674dd0e81e and found d75df3e7cedce2d8b55b90aa3343217fac24c922041310e3f152cc0f2ad32781019b766e052a676251e25fb43847d3993183af1de4c1f0a898779cc8cd46d12e.

anybody else has that problem?

and i like to update, to see where the problem is that i currently have in "ts" editor.
If i copy/paste then i get extra spaces before it (and the copy really doesn't have that, paste in another editor works fine)

[jcompagner]

i tried the one that i guess is from today:

An error occurred while collecting items to be installed
session context was:(profile=SDKProfile, phase=org.eclipse.equinox.internal.p2.engine.phases.Collect, operand=, action=).
Problems downloading artifact: osgi.bundle,org.eclipse.wildwebdeveloper,1.1.5.202403260750.
SHA-512 hash is not as expected. Expected: b6ef06399fe41e1dcdb4a341b095df3b6bc92c0536b8414f681897893094fe9afd6c0c60e2b3c0aaba65dd67c64e88bee9d3f57c9e6a406142af932961a22caf and found 19c3c341e0e311612689d46e8c49e00c58d1ca83772338332be6bee110eb5d95654bac9c19fdabb789f0c674f29f205b8c01a2bec3caae1a1d33c8a6ea2ef046.

[mickaelistria]

So it could be the signatures that mess up the sha512sum.
@laeubi Has anything change regarding mojo ordering in recent Tycho?

[laeubi]

Mojos do not have any order that can be influenced by the mojo itself.

[laeubi]

by the way if you want to be 100% sure there is a verify repository mojo one can use to be extra safe.

[jcompagner]

what is so special in the building of WWD i wonder?
because until now (including our own product) this is the only feature that has this problem

[mickaelistria]

by the way if you want to be 100% sure there is a verify repository mojo one can use to be extra safe.

That's interesting, thanks. Is it considered to add it by default to the eclipse-repository packaging description?

what is so special in the building of WWD i wonder?

I suspect the issue comes from artifact signature, as it's all fine with CI build for PRs (no signature) vs snapshots. A typical reason could be that Wild Web Developer doesn't perform the signing action at the right time, or forgets to refresh p2 metadata after that. Why it has changed is unknown though, although it may not be necessary to investigate a cause in order to find a fix here.

[laeubi]

The mojo is quite slow and I'm not sure how well it is maintained (e.g. PGP...) I just wanted to mention this in case one wants to play around with the build its maybe easier than deploy the site and then try to install software.

[PyvesB]

I'm also facing this issue on both my work machine and my personal laptop.

[mickaelistria]

The p2 metadata are indeed incorrect with signing enabled.
Any contribution to fix it would be welcome. It's unfortunately impossible to reproduce it locally exactly, but any process that replaces jarsigner by some step that just modifies slightly the jars (eg add 1 file in them) should be enough to see an equivalent case and to investigate a fix.

[laeubi]

The best usually is to assign things to distinct phases see https://maven.apache.org/guides/introduction/introduction-to-the-lifecycle.html#default-lifecycle or make sure all relevant mojos /executions are configured in the module pom.xml (in wich case the order of the executions/mojos is the order in that they are executed (or at least should be).

[mickaelistria]

The error still seems present despite 7213ba2 . To test it on a PR, we need to replace ${env.BRANCH_NAME=='master' ? '-Psign': ''} with a simple -Psign in the Jenkinsfile and test the resulting repo from https://ci.eclipse.org/wildwebdeveloper/job/Wildwebdeveloper/view/change-requests/job/PR-XXXX/lastSuccessfulBuild/artifact/repository/target/repository/

[laeubi]

It is more the problem that the fix-artifact-repository seems to run before the signing... (or not al all?)

[mickaelistria]

Actually, the org.eclipse.wildwebdeveloper artifact shouldn't even have PGP signatures as it's supposed to be sign with the jarsignar cbi plugin.
In the log, we can see that the --- antrun:3.1.0:run (sign-node-files) @ repository --- mojo alters the org.eclipse.wildwebdeveloper bundle and thus breaks existing signatures, but doesn't fix them.

It seems to me this sign-node-files step should run on artifact level, during the generate-resources phase.