RFE: Patch to fix jar signature verification
Deepak Bhole
dbhole at redhat.com
Mon Jul 13 11:48:41 PDT 2009
* Omair Majid <omajid at redhat.com> [2009-07-13 14:28]:
> Deepak Bhole wrote:
>> Hi,
>>
>> Currently, we use JarInputStream when reading the jar to verify
>> signatures. JarInputStream does not work unless manifest file is the
>> first file in the jar. As a result, signed jars end up being treated as
>> unsigned, causing those applets to not work.
>>
>> This patch fixes that by using JarFile instead, which does not have the
>> "manifest must be first" restriction.
>>
>> Fixes:
>> http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=325
>> https://bugzilla.redhat.com/show_bug.cgi?id=502318
>>
>> ChangeLog:
>>
>> * plugin/icedtea/sun/applet/PluginMessageConsumer.java: Fix minor typo in
>> how max worker count is interpreted.
>> * rt/net/sourceforge/jnlp/tools/JarSigner.java: use JarFile instead of
>> JarInputstream when verifying jars.
>>
>
> Looks good to me!
>
Thanks! Just realized that I already accidentally committed the changes on
Friday, when I committed the new plugin code. The rt/ directory
is common to both old and new plugins .. so it went along with that. I
guess there is nothing to do for this one.
Thanks for reviewing!
Deepak
More information about the distro-pkg-dev
mailing list