-
Notifications
You must be signed in to change notification settings - Fork 38.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AOT mode with signed JARs fails #29019
Comments
Interestingly, the generated JAR from boot can be run, both in normal and in AOT mode. But when i try to build the native image with
|
Maybe a GraalVM bug to raise on their bugtracker? |
I don't think this is a bug, as we're doing something (generating code in the same package as in a signed JAR) which is not allowed by the JVM. I'm quite surprised that the resulting JAR from |
what's the differences for these two? |
FYI this issue is blocking Azure support deployed JAR to be signed.
Not sure since that's more a Boot question. Maybe |
@jhoeller and I brainstormed this morning and we believe that offering an option where AOT does not create a split package should be added. We're even considering this to be the default, with an opt-in optimization to the current behavior. We like that AOT creates a structure that matches the structure of the original configuration. With Spring Boot in particular, it is very easy to see which auto-configurations were processed. We think we should keep this, by adding this infrastructure under the application's package name. Rather than generating code in Looking at the API, we've already quite a good abstraction with |
Looks good, but please let's have data points on the RSS footprint impact and a team discussion before deciding if we switch the default or not. |
Some WIP is here https://github.com/snicoll/spring-framework/tree/gh-29019 - I can see two problems so far:
|
Unfortunately, the default code fragments assume that if an privileged access is required, the generated code is in the package where the privileged member is located. We need to improve that before considering what I've started as an option. |
Also blocked by #28875 |
I had a deeper look on alternative solutions, and was able to find a workaround on both JVM and native by passing a Few remarks:
|
After a lot of consideration, we have realized that this is a problem that is not practical to solve at the core framework level. Our generated configuration needs to have access to package-local elements in common scenarios, not least of it all in order to avoid unnecessary reflection. For that reason, we decided to preserve our package-local generation approach. If a separate jar with a split package arrangement or different jar signatures turns out to be an issue (also e.g. in the module system), the application build may combine them into a single jar that contains both the original classes and the generated configuration. Alternatively, the application build may also simply remove the jar signature before proceeding. |
FYI the currrent workaround proposed to get both Native Build Tools and Buildpacks support is:
With an
|
Original issue on Spring Native side: spring-attic/spring-native#1699
Hey,
Spring AOT mode currently fails if you're using an auto-configuration from an external JAR which has been signed with
jarsigner
tool.I've created a reproducer here: https://github.com/mhalbritter/spring-aot-jarsigner-reproducer
The problem is that
dependency.jar
contains an auto-configuration namedDependencyAutoConfiguration
in thedependency
package. Thedependency.jar
has been signed withjarsigner
and contains aMETA-INF/SIGN-KEY.SF
file. The AOT mode generates code (dependency.DependencyAutoConfiguration__BeanDefinitions
) which uses the same package as independency.jar
, which is getting included in the main boot JAR. But this JAR doesn't have the same signature on it. This will lead to this exception thrown by the JVM when usinggradle bootRun
:The text was updated successfully, but these errors were encountered: