Re: [orbit-dev] Jar Signing and the Orbit Build

David, Tom,

Thanks for the time you have spent on this.  Here is the bug:

Our representative on the SDO spec committee has assured me that this problem is addressed in the next version of the spec and the code that causes the problem will be deprecated in the next version.

Thanks again,

Thomas Watson wrote:
There is a check that the ClassLoader does when two or more classes in the same package are defined with different CodeSource objects on the same ClassLoader. The first class defined in a package for a given ClassLoader decides what certificates ALL the other classes in that package must be signed with. When run within Eclipse/OSGi by default the bundle class loaders use CodeSource objects that do not contain the certificates of the signers. So the ClassLoader check is short circuited. In Equinox you can enable an option to to use CodeSources that contain signing certificates (but this is disabled by default and it has a rather expensive overhead). This is only an issue if one or more fragments of a host contribute to the same package which exists in the host or you have inner jar on the bundle class path that contribute to the same package. In this case the host and all the fragment contents are loaded with the same class loader (see and

When running in a JavaSE environment (non-Equinox), if the two jars are loaded with the same URLClassLoader then you will see this issue because of the class loader cert check. The same URLClassLoader will be used if the two jars are placed on the -classpath. I must say the requirement to have the implementation of SDO be in the same package (commonj) seems like an ill thought out design. I cannot think of another example where an implementation of some API (or SPI) must be placed in the same package as the actual API they are implementing.


Many mysteries ... and if you sign both there is no problem?! And it happens in Eclipse/OSGi and non-Eclipse/OSGi environments?

And, yes, buddy-class loading would only help for OSGi/Eclipse environments (but in non-Eclipse environment, usually direct manipulation of the classpath would accomplish the same thing). Sounds more complicated than that.

I'd have to study this some to understand it, and I'm hoping one of the signing and OSGi experts will chime in before I have to study it :)

but let's plan that if not fixed/understood by next Tuesday, we add 'commonj.sdo.jar' to the "no sign" list. Please open an Orbit bugzilla to remind me. Perhaps there would be the best place to carry on the discussion. But, one way or another, we'll get you running with next Orbit RC.

Sounds like you just might have stumbled upon a true technical reason not to sign a jar. And, if so, I'm sure you'll work with the standards body to get them to fix that broken part of their spec. :)


Hi David,

I, too, am surprised this is issue appears to be related to signing, but all
the evidence points to the fact that it does.

 In the scenario I mentioned below, if we either remove signing from the
commonj.sdo.jar or sign implementation.jar, the problem goes away. No other
changes are required.

The issue only occurs outside of OSGi. The case that is failing for us is a pure Java SE set of JUnit tests. Additionally, SDO needs to work in a variety of cases including OSGi, various application servers, spring, and Java SE. As a
result, whatever solution we come up with needs to be quite general. As a
result, I am not sure how buddy classloading can help.

 I have not been able to find much documentation about what is supposed to
happen when packages are split between jars and one jar is signed and the other is not. The following post to the hibernate forum describes a similar problem where a combination of signed classes and unsigned classes fails when packages
are split.
__ <>


