Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build(deps): bump net.jsign:jsign-core from 6.0 to 7.0 #604

Merged
merged 1 commit into from
Feb 10, 2025
Merged

build(deps): bump net.jsign:jsign-core from 6.0 to 7.0 #604

merged 1 commit into from
Feb 10, 2025

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 20, 2025
edited
Loading

Bumps net.jsign:jsign-core from 6.0 to 7.0.

Release notes

Sourced from net.jsign:jsign-core's releases.

7.0

  • New signing services:
    • Azure Trusted Signing
    • Oracle Cloud
    • GaraSign
    • HashiCorp Vault Transit (contributed by Eatay Mizrachi)
    • Keyfactor SignServer (contributed by Björn Kautler)
  • Signing of NuGet packages has been implemented (contributed by Sebastian Stamm)
  • Commands have been added:
    • timestamp: timestamps the signatures of a file
    • tag: adds unsigned data (such as user identification data) to signed files
    • extract: extracts the signature from a signed file, in DER or PEM format
    • remove: removes the signature from a signed file
  • The intermediate certificates are downloaded if missing from the keystore or the certificate chain file
  • File list files prefixed with @ are now supported with the command line tool to sign multiple files
  • Wildcard patterns are now accepted by the command line tool to scan directories for files to sign
  • Jsign now checks if the certificate subject matches the app manifest publisher before signing APPX/MSIX packages (with contributions from Scott Cooper)
  • The new --debug, --verbose and --quiet parameters control the verbosity of the output messages
  • The JCA provider now works with apksigner for signing Android applications
  • RSA 4096 keys are supported with the PIV storetype (for Yubikeys with firmware version 5.7 or higher)
  • Certificates using an Ed25519 or Ed448 key are now supported (experimental)
  • Signatures on MSI files with gaps in the mini FAT are no longer invalid
  • The APPX/MSIX bundles are now signed with the correct Authenticode UUID
  • The signed APPX/MSIX files no longer contain a [Content_Types].old entry
  • The error message displayed when the password of a PKCS#12 keystore is missing has been fixed
  • The log4j configuration warning displayed when signing a MSI file has been fixed (contributed by Pascal Davoust)
  • The value of the storetype parameter is now case insensitive
  • The Azure Key Vault account no longer needs the permission to list the keys when signing with jarsigner
  • The DigiCert ONE host can now be specified with the keystore parameter
  • The AWS_USE_FIPS_ENDPOINT environment variable is now supported to use the AWS KMS FIPS endpoints (contributed by Sebastian Müller)
  • On Windows the YubiKey library path is automatically added to the PATH of the command line tool
  • Signing more than one file with the YUBIKEY storetype no longer triggers a CKR_USER_NOT_LOGGED_IN error
  • MS Cabinet files with a pre-allocated reserve are now supported
  • The --certfile parameter can now be used to replace the certificate chain from the keystore
  • PVK and PEM key files are now properly loaded even if the extension is not recognized (contributed by Alejandro González)
  • API changes:
    • The keystore builder and the JCA provider are now in a separate jsign-crypto module
    • The PEFile class has been refactored to keep only the methods related to signing
    • The java.util.logging API is now used to log debug messages under the net.jsign logger
    • Signable implementations are now discovered dynamically using the ServiceLoader mechanism
    • Signable.createContentInfo() has been replaced with Signable.createSignedContent()
  • Switched to BouncyCastle LTS 2.73.7
Commits
  • f56f7a2 Release version 7.0
  • 5eb6a50 Link the javadoc to the Bouncy Castle LTS javadoc
  • 545be87 Support server-side hashing for SignServer (#260)
  • bd2a60c Updated the SignServer documentation
  • 345af97 Add back PESignerTask into the all-in-one jar
  • f01bbb5 Changed the japicmp settings to ignore the recently removed classes and methods
  • 30cd7d2 Updated the Maven plugins
  • 6b3f8b4 Updated the dependencies
  • 67997ef Upgraded POI to 5.4.0 (fixes MSI files with gaps in the mini FAT)
  • c3a19e1 Use assertThrows() to test the exceptions
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Jan 20, 2025
@dependabot dependabot bot requested a review from mbarbero January 20, 2025 08:01
@github-actions GitHub Actions
Copy link

⚠️ Failed to request review of not vetted licenses.

Workflow run (with attached summary files):
https://github.com/eclipse-cbi/org.eclipse.cbi/actions/runs/12863488758

@akurtakov
Copy link
Contributor

/request-license-review

@github-actions GitHub Actions
Copy link

/request-license-review

License review requests:

After all reviews have concluded, re-run the license-vetting check from the Github Actions web-interface to update its status.

Workflow run (with attached summary files):
https://github.com/eclipse-cbi/org.eclipse.cbi/actions/runs/12863531267

@akurtakov
Copy link
Contributor

@dependabot rebase

@dependabot dependabot bot force-pushed the dependabot/maven/net.jsign-jsign-core-7.0 branch from fc2fa19 to ec46273 Compare January 27, 2025 09:02
@github-actions GitHub Actions
Copy link

License review requests:

After all reviews have concluded, re-run the license-vetting check from the Github Actions web-interface to update its status.

Workflow run (with attached summary files):
https://github.com/eclipse-cbi/org.eclipse.cbi/actions/runs/12985398866

@akurtakov
Copy link
Contributor

@dependabot rebase

@dependabot dependabot bot force-pushed the dependabot/maven/net.jsign-jsign-core-7.0 branch from ec46273 to 5af29ba Compare February 3, 2025 08:40
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 3, 2025

License review requests:

After all reviews have concluded, re-run the license-vetting check from the Github Actions web-interface to update its status.

Workflow run (with attached summary files):
https://github.com/eclipse-cbi/org.eclipse.cbi/actions/runs/13109513568

@akurtakov
Copy link
Contributor

@dependabot rebase

@dependabot
build(deps): bump net.jsign:jsign-core from 6.0 to 7.0
a6099ba 
Bumps [net.jsign:jsign-core](https://github.com/ebourg/jsign) from 6.0 to 7.0.
- [Release notes](https://github.com/ebourg/jsign/releases)
- [Changelog](https://github.com/ebourg/jsign/blob/master/RELEASE.md)
- [Commits](ebourg/jsign@6.0...7.0)

---
updated-dependencies:
- dependency-name: net.jsign:jsign-core
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/maven/net.jsign-jsign-core-7.0 branch from 5af29ba to a6099ba Compare February 10, 2025 09:00
@github-actions GitHub Actions
Copy link

⚠️ Failed to request review of not vetted licenses.

Workflow run (with attached summary files):
https://github.com/eclipse-cbi/org.eclipse.cbi/actions/runs/13237118585

@akurtakov akurtakov merged commit 1817587 into main Feb 10, 2025
6 checks passed
@akurtakov akurtakov deleted the dependabot/maven/net.jsign-jsign-core-7.0 branch February 10, 2025 09:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbarbero mbarbero Awaiting requested review from mbarbero

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file java Pull requests that update Java code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@akurtakov