BouncyCastle provider version 1.47 in Gradle's Artifactory is outdated


(detelinyordanov) #1

Hi,

We have been using Gradle’s Artifactory repository in our builds (actually we used it to populate our internal Artifactory repository) and noticed that the following BouncyCastle module is not valid:

http://gradle.artifactoryonline.com/gradle/libs/org/bouncycastle/bcprov-jdk15on/1.47/

The ‘bcprov-jdk15on-1.47.jar’ has invalid ‘Bundle-Version’ header and is not usable in OSGi. Apparently this has been fixed on both the official BouncyCastle download site and the Central Maven repository:

http://www.bouncycastle.org/download/bcprov-jdk15on-147.jar http://central.maven.org/maven2/org/bouncycastle/bcprov-jdk15on/1.47/

I suppose that the manifest problem was reported and was fixed but without increasing the BouncyCastle version. Do you mind updating the Gradle’s Artifactory module so that it matches the officially available version?

Regards,

Detelin


(Luke Daley) #2

I’ve deleted this from repo.gradle.org.

It had proxied it from http://repo-demo.jfrog.org/artifactory/repo1/org/bouncycastle/bcprov-jdk15on/1.47/, so if that’s wrong as well the same problem might occur.

It’s very strange that this was updated in Maven Central. They have a strict policy of never changing binaries once they get into the repository. Something must have gone wrong.


(detelinyordanov) #3

Thanks Luke,

The one on JFrog’s repo is also invalid. I’m not sure whether this one was available on Maven Central and later fixed, it could be that the initial invalid version originated from JFrog’s repo by manual upload from BC’s download page. It might have never been available on Maven Central…

Anyway, this issue was introduced by BC - apparently they decided that a simple manifest fix is not enough for them to increase their version, which is not correct IMHO.

Regards,

Detelin


(Luke Daley) #4

Yeah, this is exactly the kind of problem that re-releasing causes.

So does the version in Maven Central have the right manifest?


(detelinyordanov) #5

Yes, it has correct manifest with ‘Bundle-Version: 1.47’, also it has same md5 checksum (7749dd7eca4403fb968ddc484263736a) as the one on the official BC download page, so I think it is OK to mirror it from there.


(Luke Daley) #6

Detelin,

Can you ask JFrog about getting this fixed in their upstream? It’s not easy for us to get the maven version in as we need to consume from them.