bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard
verified publisher icon bcgit

Do not use version ranges when publishing artifacts

Open idelpivnitskiy opened this issue 7 months ago • 2 comments

Starting from version 1.80, org.bouncycastle published artifacts use version ranges when reference other bouncycastle modules. Example: https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk18on/1.80

Some build tools and plugins do not support this format and fail with an exception. Here is an example from Gradle project:

   > Could not resolve org.bouncycastle:bcutil-jdk18on:[1.80,1.81).
     Required by:
         project > org.bouncycastle:bcpkix-jdk18on:1.80
         project > org.bouncycastle:bctls-jdk18on:1.80
      > Failed to list versions for org.bouncycastle:bcutil-jdk18on.
         > Unable to load Maven meta-data from https://repo1.maven.org/maven2/org/bouncycastle/bcutil-jdk18on/maven-metadata.xml.
            > org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalSchema' is not recognized.
      > Failed to list versions for org.bouncycastle:bcutil-jdk18on.
         > Unable to load Maven meta-data from https://repo1.maven.org/maven2/org/bouncycastle/bcutil-jdk18on/maven-metadata.xml.
            > org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalSchema' is not recognized.

Workaround is to enforce a single version via resolutionStrategy:

allprojects {
    configurations.all {
        resolutionStrategy.eachDependency {
            if (requested.group == "org.bouncycastle" && requested.name.contains("jdk18on") &&
                requested.version?.startsWith('[') == true) {
                useVersion(Versions.bouncycastle)
            }
        }
    }
}

I could not find what commit caused this change between 1.79 and 1.80. Consider reverting behavior for the next release to how it was before (specify exact version number): https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk18on/1.79

idelpivnitskiy avatar May 27 '25 06:05 idelpivnitskiy

I second that, please return to releasing with fixed versions. If releasing with a version range is an explicit choice, please provide a link to the ticket or discussion.

m-schutte-ohra-nl avatar Jun 03 '25 07:06 m-schutte-ohra-nl

Hey @idelpivnitskiy The error you see points at an outdated / insecure XML parser on you build classpath (./gradlew buildEnvironment) usually pulled in by outdated plugins. https://docs.gradle.org/current/userguide/upgrading_version_8.html#xml_parsing_now_requires_recent_parsers

The workaround should not be needed after making sure your build does not pull in an insecure XML parser.

cobexer avatar Jun 03 '25 10:06 cobexer

In view of @cobexer 's comment I'm closing this one as better to leave in place since it sounds like the real issue is use of an outdated XML parser. If that's not the case, or any feels very strongly about it, feel free to reopen and give details about the case that has led to the re-opening. Thanks.

dghgit avatar Aug 11 '25 04:08 dghgit