[Reproducible-builds] Bug#807669: dh-strip-nondeterminism: Breaks some jar file

Sun Dec 13 23:31:36 UTC 2015

Hi Sophie,

I took a look at dirbuster, and it looks like it doesn't actually build
anything; instead it just installs a signed .jar that is shipped with
the source, and strip-nondeterminism's modifications break the
signature.

Therefore, my recommendation is that you continue to disable
strip-nondeterminism in debian/rules.  Since dirbuster doesn't actually
build anything, there's no nondeterminism to be stripped :-)

Let me know if I've misread this and there is actually some building
being done here.

Cheers,
Andrew

On Fri, 11 Dec 2015 15:21:57 +0100
Sophie Brun <sophie at freexian.com> wrote:

> Package: dh-strip-nondeterminism
> Version: 0.014-1
> Severity: normal
> 
> When building the package dirbuster (for kali),
> dh_strip_nondeterminism breaks the jar file.
> 
> The package is built but when I tried to launch the program, it
> failed with this error: Exception in thread "main"
> java.lang.SecurityException: Invalid signature file digest for
> Manifest main attributes at
> sun.security.util.SignatureFileVerifier.processImpl
> (SignatureFileVerifier.java:287) at
> sun.security.util.SignatureFileVerifier.process
> (SignatureFileVerifier.java:240) at
> java.util.jar.JarVerifier.processEntry(JarVerifier.java:274) at
> java.util.jar.JarVerifier.update(JarVerifier.java:228) at
> java.util.jar.JarFile.initializeVerifier(JarFile.java:348) at
> java.util.jar.JarFile.getInputStream(JarFile.java:415) at
> sun.misc.URLClassPath$JarLoader$2.getInputStream
> (URLClassPath.java:775) at sun.misc.Resource.cachedInputStream
> (Resource.java:77) at sun.misc.Resource.getByteBuffer
> (Resource.java:160) at java.net.URLClassLoader.defineClass
> (URLClassLoader.java:436) at java.net.URLClassLoader.access$100
> (URLClassLoader.java:71) at java.net.URLClassLoader$1.run
> (URLClassLoader.java:361) at java.net.URLClassLoader$1.run
> (URLClassLoader.java:355) at
> java.security.AccessController.doPrivileged(Native Method) at
> java.net.URLClassLoader.findClass(URLClassLoader.java:354) at
> java.lang.ClassLoader.loadClass(ClassLoader.java:425) at
> sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) at
> java.lang.ClassLoader.loadClass(ClassLoader.java:358) at
> com.sittinglittleduck.DirBuster.Start.main(Start.java:51)
> 
> 
> Disabling dh_strip_nondeterminism in debian/rules (via
> override_dh_...) fixed it.
> 
> The source of package dirbuster can be found:
> git://git.kali.org/packages/dirbuster.git
> 
> -- System Information:
> Debian Release: stretch/sid
>   APT prefers testing
>   APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 4.3.0-rc3-amd64 (SMP w/4 CPU cores)
> Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages dh-strip-nondeterminism depends on:
> ii  debhelper                         9.20151126
> ii  libfile-stripnondeterminism-perl  0.014-1
> ii  libtimedate-perl                  2.3000-2
> ii  perl                              5.20.2-6
> 
> dh-strip-nondeterminism recommends no packages.
> 
> dh-strip-nondeterminism suggests no packages.
> 
> -- no debconf information