Hi,
Matthias has pointed out last week to me that he has been notified about our published californium-osgi bundles failing signature verification using Java's jarsigner tool.
I have taken a look into that during the weekend and was able to reproduce this with all published californium-osgi bundles, i.e. versions 1.0.0 up to and including 1.0.3. Note that this only affects the californium-osgi artifacts, all other artifacts seem to verify correctly using jarsigner.
The reason for this is that as part of our release build we alter the californium-osgi bundle _after_ it has been signed using the Eclipse private key :-( I have fixed this in the build job so that future releases should not have this problem anymore. I am very sorry for the inconvenience this has caused some of you.
In connection with this issue I have also found out that the Maven Bundle plugin that we use to create the OSGi Manifest in californium-osgi does not include a newline character at the end of the generated Manifest. This doesn't seem like a big thing but it ultimately results in a signed jar file for which the jarsigner tool reports that it contains unsigned files. Verification still passes though. I have filed a bug report against the Maven Bundle plugin [1] where you can also find an explanation for this behavior (based on my understanding of the JAR signing process).
Once this bug has been fixed I suggest we create a 1.0.4 bugfix release producing a californium-osgi bundle that can be successfully verified.
Regards,
Kai
