RFR: 8215788: Clarify JarInputStream Manifest access [v11]
Sean Mullan
mullan at openjdk.org
Tue Sep 20 17:55:52 UTC 2022
On Tue, 20 Sep 2022 17:47:03 GMT, Lance Andersen <lancea at openjdk.org> wrote:
>> Please review this PR which updates the JarInputStream class description to clarify when the Manifest is accessible via JarInputStream::getManifest and JarInputStream::get[Jar]Entry.
>>
>> It is worth noting that with this update, we are finally documenting behavior that dates back to when this class was added to JDK 1.2
>>
>>
>> Best,
>> Lance
>
> Lance Andersen has updated the pull request incrementally with one additional commit since the last revision:
>
> More wordsmithing to the signed jar section
src/java.base/share/classes/java/util/jar/JarInputStream.java line 77:
> 75: * {@link JarEntry#getCertificates()} may be called to obtain the certificates
> 76: * for this entry and {@link JarEntry#getCodeSigners()} may be called to obtain
> 77: * the signers.
Now that this API has a section about signed JARs, I think it is very important to include the following sentences which are copied from `JarFile`:
"Please note that the verification process does not include validating the signer's certificate. A caller should inspect the return value of [JarEntry.getCodeSigners()](https://docs.oracle.com/en/java/javase/19/docs/api/java.base/java/util/jar/JarEntry.html#getCodeSigners()) to further determine if the signature can be trusted."
-------------
PR: https://git.openjdk.org/jdk/pull/10045
More information about the core-libs-dev
mailing list