diff -Nru eclipse-3.5.2/debian/changelog eclipse-3.5.2/debian/changelog
--- eclipse-3.5.2/debian/changelog	2010-09-30 16:52:32.000000000 +0100
+++ eclipse-3.5.2/debian/changelog	2010-10-07 11:03:15.000000000 +0100
@@ -1,3 +1,9 @@
+eclipse (3.5.2-6ubuntu2) maverick; urgency=low
+
+  * Backported fix for finding root CA in keystore rather than from JAR. (LP: #655833)
+
+ -- TJ <ubuntu@tjworld.net>  Wed, 6 Oct 2010 18:45:00 +0100
+
 eclipse (3.5.2-6ubuntu1) maverick; urgency=low
 
   * debian/extra/eclipse:
diff -Nru eclipse-3.5.2/debian/patches/osgi-security-ignore-root-CA-in-JAR-find-in-cacerts.patch eclipse-3.5.2/debian/patches/osgi-security-ignore-root-CA-in-JAR-find-in-cacerts.patch
--- eclipse-3.5.2/debian/patches/osgi-security-ignore-root-CA-in-JAR-find-in-cacerts.patch	1970-01-01 01:00:00.000000000 +0100
+++ eclipse-3.5.2/debian/patches/osgi-security-ignore-root-CA-in-JAR-find-in-cacerts.patch	2010-10-07 11:01:26.000000000 +0100
@@ -0,0 +1,73 @@
+Description: Ignore root CA in signed jar, find in cacerts.
+Author: Thomas Watson <tjwatson@us.ibm.com>
+Bug: https://bugs.launchpad.net/ubuntu/+source/eclipse/+bug/655833
+Bug: https://bugs.eclipse.org/bugs/show_bug.cgi?id=309059
+Applied-Upstream: yes
+
+--- a/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
++++ b/eclipse/plugins/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
+@@ -101,27 +101,19 @@
+ 
+ 		try {
+ 			Certificate rootCert = null;
+-
+ 			KeyStore store = getKeyStore();
+ 			for (int i = 0; i < certChain.length; i++) {
+ 				if (certChain[i] instanceof X509Certificate) {
+-					if (i == certChain.length - 1) { //this is the last certificate in the chain
++					if (i == certChain.length - 1) {
++						// this is the last certificate in the chain
++						// determine if we have a valid root
+ 						X509Certificate cert = (X509Certificate) certChain[i];
+ 						if (cert.getSubjectDN().equals(cert.getIssuerDN())) {
+-							certChain[i].verify(certChain[i].getPublicKey());
+-							rootCert = certChain[i]; // this is a self-signed certificate
++							cert.verify(cert.getPublicKey());
++							rootCert = cert; // this is a self-signed certificate
+ 						} else {
+ 							// try to find a parent, we have an incomplete chain
+-							synchronized (store) {
+-								for (Enumeration e = store.aliases(); e.hasMoreElements();) {
+-									Certificate nextCert = store.getCertificate((String) e.nextElement());
+-									if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
+-										cert.verify(nextCert.getPublicKey());
+-										rootCert = nextCert;
+-										break;
+-									}
+-								}
+-							}
++							return findAlternativeRoot(cert, store);
+ 						}
+ 					} else {
+ 						X509Certificate nextX509Cert = (X509Certificate) certChain[i + 1];
+@@ -138,6 +130,10 @@
+ 						if (alias != null)
+ 							return store.getCertificate(alias);
+ 					}
++					// if we have reached the end and the last cert is not found to be a valid root CA
++					// then we need to back off the root CA and try to find an alternative
++					if (certChain.length > 1 && i == certChain.length - 1 && certChain[i - 1] instanceof X509Certificate)
++						return findAlternativeRoot((X509Certificate) certChain[i - 1], store);
+ 				}
+ 			}
+ 		} catch (KeyStoreException e) {
+@@ -149,6 +145,19 @@
+ 		return null;
+ 	}
+ 
++	private Certificate findAlternativeRoot(X509Certificate cert, KeyStore store) throws InvalidKeyException, KeyStoreException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, CertificateException {
++		synchronized (store) {
++			for (Enumeration e = store.aliases(); e.hasMoreElements();) {
++				Certificate nextCert = store.getCertificate((String) e.nextElement());
++				if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
++					cert.verify(nextCert.getPublicKey());
++					return nextCert;
++				}
++			}
++			return null;
++		}
++	}
++
+ 	protected String doAddTrustAnchor(Certificate cert, String alias) throws IOException, GeneralSecurityException {
+ 		if (isReadOnly())
+ 			throw new IOException(SignedContentMessages.Default_Trust_Read_Only);
diff -Nru eclipse-3.5.2/debian/patches/series eclipse-3.5.2/debian/patches/series
--- eclipse-3.5.2/debian/patches/series	2010-08-20 09:45:34.000000000 +0100
+++ eclipse-3.5.2/debian/patches/series	2010-10-07 11:01:00.000000000 +0100
@@ -22,3 +22,4 @@
 sat4j-version.patch
 add-o.e.equinox.concurrent.patch
 pdebuild-workspace.patch
+osgi-security-ignore-root-CA-in-JAR-find-in-cacerts.patch