openjdk-11 11.0.17 in Debian unstable fails to verify weak signatures:
jarsigner -verbose -strict -verify tests/signindex/guardianproject.jar
131 Fri Dec 02 20:10:00 CET 2016 META-INF/MANIFEST.MF
252 Fri Dec 02 20:10:04 CET 2016 META-INF/1.SF
2299 Fri Dec 02 20:10:04 CET 2016 META-INF/1.RSA
0 Fri Dec 02 20:09:58 CET 2016 META-INF/
m ? 48743 Fri Dec 02 20:09:58 CET 2016 index.xml
s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
? = unsigned entry
- Signed by "EMAILADDRESS=root@guardianproject.info, CN=guardianproject.info, O=Guardian Project, OU=FDroid Repo, L=New York, ST=New York, C=US"
Digest algorithm: SHA1 (disabled)
Signature algorithm: SHA1withRSA (disabled), 4096-bit key
WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024, SHA1 denyAfter 2019-01-01, include jdk.disabled.namedCurves
getsig.java was replaced by a Python implementation in 6e2d0a9e (2014)
and the test was only there to compare the results for the transition.
Dropping this as it no longer works starting with 11.0.17+8.
This process creates three copies of the buildserver image, all of which
are large. So deleting the unused one is quite helpful:
```
-rw-r--r-- 1 fdroid fdroid 20G 8. Nov 15:22 /home/fdroid/.vagrant.d/boxes/buildserver/0/libvirt/box.img
-rw------- 1 root root 19G 8. Nov 14:07 /var/lib/libvirt/images/buildserver_default.img
-rwxr--r-- 1 libvirt-qemu libvirt-qemu 20G 8. Nov 16:08 /var/lib/libvirt/images/buildserver_vagrant_box_image_0_box.img
```
If Vagrantfile.yaml exists, makebuildserver should no longer try to write
to it. It is now manully managed now that makebuildserver.config.py no
longer exists. Also, now that the buildserver is smaller, the workflow is
to always destroy and recreate it rather than ever try to reprovision it.
This is not user-configurable, so it should not be setup to be. This
process is only tested on the one basebox, and devs can just edit
Vagrantfile directly to test other base boxes.
# Conflicts:
# makebuildserver
Make sudo, init prebuild, build and Prepare fields lists and only
concatenate them with '; ' before execution. This allows arbitrary
commands inside the fileds (even && and ';') as we don't need to split
the commands again for rewritemeta.
Boxes are stored in two places when using vagrant-libvirt:
1. `vagrant box add` -> ~/.vagrant.d/boxes/buildserver/0/libvirt/
2. `vagrant up` -> /var/lib/libvirt/images/buildserver_vagrant_box_image_0_box.img
If the second box is not cleaned up, then `fdroid build` will continue
to use the one from the second location, thereby ignoring the updated
one at the first location. This keeps the second one around until the
new box is ready in case `fdroid build` is using it while this script
is running.